Intrusion Detection and Prevention
IPS in Kerio Control
Kerio Control, a Unified Threat Management solution, incorporates a signature based packet analysis architecture known as Intrusion Detection and Prevention (IPS), which transparently monitors inbound and outbound network communication to identify suspicious activity. Depending on the severity of the activity, Kerio Control can log and block the communication. New signatures are regularly added to the rules database to defend against emerging threats.
The system is designed to protect servers behind the firewall from unauthorized connections, typically originated by an Internet bot or hacker trying to exploit an available service. The IPS is also designed to protect network users from unknowingly downloading malicious content or malware, or to mitigate the effects of a compromised system.
In many deployments, servers are placed behind the firewall, and only those services being hosted can receive connections. Depending on the type of service hosted (e.g. SQL server) the firewall may not have the ability to inspect the actual conversation taking place between a client and the server. The firewall is primarily responsible for ensuring that the connection is established, without allowing any other type of backdoor access to other services available on the server. What this type of configuration does not address is the potential threat of a request or command that exploits a vulnerability in the server software.
Perhaps the best-known incidence of this type of attack occurred in 2001, where a worm was developed to attack systems running the web server software, Microsoft Internet and Information Server. Labeled “Code Red”, the worm was programmed to send a series of commands through the HTTP service that would cause a buffer overflow in the memory space of the server software. This allowed the attacker to inject and execute arbitrary code on the server. Part of this code included the ability to rapidly redistribute itself by affecting other servers running the Microsoft IIS software. This specific attack resulted in a denial of service to the affected server.
Adding the IPS layer
Keeping server software updated is critical to protecting server applications from this type of threat. Application vendors regularly update their software to patch security vulnerabilities. In some cases however, it may not be possible to update to the latest version of the software or the vendor may not yet have a fix for an emerging threat. Adding an Intrusion Prevention System provides an extra layer of security to protect against threats such as the Code Red worm.
The IPS maintains a local database of signatures, which it uses to identify known types of attacks. Without interpreting the communication between a client and server, an IPS system can generate a signature of the network connection, and search for this signature in its local database. This type of architecture is highly effective at combating the threat of a worm or other server based attack.
Other types of server attacks include password guessing or brute force, distributed denial of service, port scans or session hijacking. These types of attacks generally involve attempts to obtain information about the server software, such as the version and developer. With this information, the attacker can research vulnerabilities in the server software and attempt to gain unauthorized access to the system, or perform malicious actions to prevent the server from properly functioning. In all of these cases, the IPS will notify the administrator of this suspicious activity, and block any communication if it is known to cause harm to those servers protected by the firewall.
Mitigating the effects of Trojans, Worms, Spyware and other Malware
Aside from the exploitation of available services to vulnerable applications, there are other ways to exploit an operating system. One of the more common approaches used by an attacker is to piggyback an application on top of free software. The user is deceived into installing malware through the installation of another application, or by simply accessing a website which runs a client side script to install the malware. These types of applications may not be apparent to the user, but can be programmed to expose sensitive corporate information found on the infected computer. They can also degrade the performance of a computer, or cause other applications to fail. As these programs may appear to be legitimately installed, they may not be identified by antivirus software.
An Intrusion Prevention System is instrumental in identifying systems that are infected by these types of applications. The IPS can identify that the user is inadvertently attempting to download an unwanted application and can close the connection, preventing the file from successfully reaching the end user’s computer. In case a previously infected computer is brought onto the network, the IPS can also identify and block the activity of the installed malware. The IPS in Kerio Control thus works in tandem with the firewall and content filtering capabilities to prevent the spread of malware on the network.