I was reminded recently of a session at a White Hat hacker’s event where the presenter was describing techniques for compromising servers protected by an IPS or internal firewall. Since the attack was coming from a system connected to the access edge of the network, the Internet firewall was not in play. The techniques for this insider attack involved probing the IPS with multiple evasion techniques to find one that would fool it into passing the attack packet to the server. I don’t remember the exact techniques, but I do remember having a nagging feeling that something was wrong with the scenario. I began to wonder why the attacker ever got to try a second attack. As soon as an attack was detected by the IPS, shouldn’t the attacking system have been isolated to prevent further attacks?
The scenario the presenter was describing was a little like a homeowner being asleep, and hearing a noise in the living room. He goes downstairs to investigate and finds someone walking toward the front door with his brand new flat screen TV. The homeowner stops the burglar and tells him to put it back. When he is satisfied that it’s safely back on its stand he goes back upstairs and goes to sleep, leaving the burglar standing in the middle of the living room. Chances are excellent that the homeowner will not be watching morning TV on his new flat screen TV. We can congratulate him for stopping the initial theft, but it would have been much better if he had also removed the burglar from his house.
The problem is really a function of the way that IPS works. In traditional IPS solutions, the point of detection and point of enforcement are the same; they are an interface on the IPS appliance. This allows the IPS to detect and stop the attack, but unfortunately it also leaves the attacker connected to the network and allows him to try other attacks. If an attacker has enough time to gather information and try different techniques he will eventually succeed. So a better approach would be to distribute the enforcement point to the network access edge ports. This Distributed IPS solution will still detect the attack and drop the attack packet at the IPS appliance but it will also automatically identify the port or wireless AP the attacker is attached to and quarantine him. If we have deployed NAC we could integrate it into the solution and blacklist the attacker’s Username and/or MAC address. If he changes locations and plugs into another port he will still be blacklisted and will not be able to mount another attack.
In this Distributed IPS scenario the networked servers are protected and our hypothetical homeowner would get to watch morning television on his new flat screen TV.