Intrusion Prevention Systems (IPS)

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are a significant growth area in the security market today -- and there's no sign of a slowdown.

Intrusion prevention systems (IPS) were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related.

IP Security and NAT
Despite popular wisdom, IPsec and NAT can be employed together—in some configurations. We explore what you can do and what you can't, and the limitations inherent in today's solutions. One question asked frequently by those planning to implement virtual private networks concerns the ability to combine IP security (IPsec) and Network Address Translation (NAT). Many have heard rumors and war stories about incompatibilities between IPsec and NAT. Others have seen blanket denials issued by vendors who successfully combine IPsec and NAT within a single product.

What is Network Address Translation?
Most ISP admins are familiar with NAT (RFC 1631) and its many incarnations. Originally developed as an interim solution to combat IPv4 address depletion, NAT maps IP addresses from one realm to another, most often by mapping private IPs to public IPs.

The Intrusion Prevention System (IPS) feature set of Cisco IOS® contains several vulnerabilities.
These include:

Fragmented IP packets may be used to evade signature inspection.

IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause a router to crash resulting in a denial of service.

There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available to address these vulnerabilities for affected customers.

This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070213-iosips.shtml.


Cisco IOS IPS Security Bypass and Denial of Service
Two vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).

1) Cisco IOS IPS signatures using regular expressions may not correctly identify malicious traffic within fragmented IP packets. This can be exploited to bypass the detection mechanism by sending specially crafted, fragmented IP packets.

2) An error exists within the ATOMIC.TCP scanning mechanism and signatures, which use regular expressions (e.g. Signature 3123.0 for Netbus Pro Traffic). This can be exploited to crash a device by producing specially crafted network traffic.


TippingPoint Intrusion Prevention Systems
The TippingPoint Intrusion Prevention System (IPS) delivers the most powerful network protection in the world. The TippingPoint IPS is an in-line device that is inserted seamlessly and transparently into the network. As packets pass through the IPS, they are fully inspected to determine whether they are legitimate or malicious. This instantaneous form of protection is the most effective means of preventing attacks from ever reaching their targets.