Friday, January 1, 2010

IPS - Need for C based rules & Distribution

Rule based attack detection (signature based detection)  is one of popular methods used by Network IPS devices.   Rule are typically written in a proprietary format typically looking for patterns in different parts of the packet or processed protocol data.  When new vulnerability disclosure is made,  IPS device vendors typically provide new rule and update their central distribution servers.  IPS devices typically configured to download the rules on periodic basis from central servers. New rules help IPS devices detect new attacks.  IPS devices using their interpreters convert the rules into native format and start analyzing the traffic with the converted rules.  Note that these rules are not executables.  That is, no image change is made when the rules are downloaded.

Many new attacks are complex and sophisticated and typical rule based detection is not possible in these cases.   In last few years,  the number of attacks that can't be detected using signatures is increasing.  It appears protection signature development could not be done for more than 10% of new attacks that were disclosed last year. This is a big number.  Some IPS devices are detecting these attacks by changing the firmware image.  But pushing the firmware image can't be done without testing it out thoroughly which may take few weeks to months.  Till then the customers will not have protection.  This will certainly be not acceptable.

IPS vendors need to adopt mechanisms similar to AV vendors . That is,  protections developed in C language would need to get deployed in the IPS devices through signature distribution mechanism.  These protections are done in C language,  any problem with the logic can bring down the whole system.  So, it is important that the IPS device have capability to run C based protections in a manner where the system recognize bad C based protections and disable them automatically when the IPS system comes back up.  Bring up time of  IPS system in these scenarios should be as small as possible.  This is one of the reasons, I believe IPS should be run in Linux user space rather than running it in either in Kernel space or in some real time operating system.  Process can be brought up easily and faster.   It is easy to recognize the bad protections and disable them if IPS is implemented as user process when it comes back up. 

It is also important that when the C based protection rules are downloaded,  the current state should not be affected.  Many IPS vendors are implementing these C based protections as Linux shared objects (.so). When these rules get downloaded,  signal can be sent to IPS process to load them.

In summary,  it is given that some attacks can only be detected by C based logic. As an IT person, ensure that your IPS can download the C based rules using normal signature distribution mechanisms.

No comments: