Next Generation IPS and Reputation Services
Richard Stiennon
Chief Research Analyst
IT-Harvest
REPUTATION IS REQUIRED FOR EFFECTIVE IPS
Reputation has become an effective and required ingredient for many aspects of security. Using a large database of known suspicious or bad source IP addresses, even URLs, has made dramatic improvements to spam filters and web security gateways. Now reputation is beginning to be used to improve the effectiveness of Intrusion Prevention Systems (IPS). How these systems employ reputation will be the determining factor in the success of any IPS solution.
Anti-spam vendors have long used reputation. Through a series of honey pots, email accounts set up to capture spam samples — it is possible to quickly identify the sources of spam, usually infected hosts belonging to consumers with broad band access. The behavior of such a spam bot is easy to identify as it spews millions of spam messages. Once identified it is simple to quickly update anti-spam solutions with a list of spam sources that are automatically blocked. This saves on processing requirements as the individual messages do not need to be investigated. One of the fastest and thus lowest stress on network gear, functions is dropping connections from a list of sites.
Secure web gateways also rely on reputation to quickly identify sources of malware and block access to URLs that are known to contain malware.
Discovering malicious URLs, however, needs a different approach. Honey pots, passive email accounts, are not effective at discovering sources of malware. Likewise, a web crawling robot which follows links such as Google is not effective. Most reputation services for identifying malicious sites relies on a large install base of deployed appliances that report new URLs and their associated behavior back to a central database for automated inspection backed up by teams of researchers for those sites that defy automated analysis. Through this technique a realtime list of bad URLs is formed and pushed back out to the secure web gateways for blocking.
However, signatures that are written to be general purpose and block based on a category of potential exploits against known vulnerabilities can cause false positives and thus block legitimate connections. While IPS vendors strive to reduce these false positives and increase the effectiveness of their signature bases they are also beginning to borrow from the success other solutions have had with reputation.
An example of how reputation services could protect an organization is provided by the recent attack against NASDAQ’s Director’s Desk service. The Director’s Desk is a service that NASDAQ offers to public companies whose stock is traded on the NASDAQ exchange. Directors’ Desk is a third party hosting solution for critical documents and communication generated by the boards of over 230 companies. There are over 10,000 users of the service. In February, 2011 it was revealed that malware had been inserted into the Director’s Desk portal. This is a common
IPS and Reputation Services
way for attackers to target high-value users. In this case, the users were high value in that they had access to valuable inside information and from a cyber criminal’s perspective were likely to engage in high value transactions on other platforms such as banking and stock trading sites. Infecting their machines to garner additional information on target organizations or steal access credentials would justify the attack. Similar infections through ad serving sites have been recorded. An IP reputation service, once the NASDAQ site had been identified as compromised through either publication or detection by continual IPS reputation evaluation, would have given system administrators early warning of the attack.
Reputation, if properly executed, can improve both the performance and accuracy of modern IPS solutions. Developing a reliable, scalable, and effective reputation service is the key to effective IPS and will quickly become a required function in next generation IPS.
This paper examines the IPS solutions that have begun to use reputation services, looking specifically at flexibility, effectiveness and performance. Of note, there are a number of IPS vendors that were not included in this study due to lack of a reputation solution.
Cisco
Cisco acquired IronPort, an email gateway antispam and protection vendor in 2008. IronPort's strongest feature was the use of reputation to enhance the speed and accuracy of spam
blocking. Cisco has incorporated some of Iron Port's technology in their IPS which is included in the Cisco ASA gateway device (note that the ASA is a firewall with a separate card that can be configured to provide anti-virus delivered from Trend Micro Systems, or their own IPS service).
Cisco's Global Correlation is a cloud based store of of sources of attacks and provides threat scores from 1 to 10. Like all reputation services it can also incorporate the feeds of known sources of attacks and command and control servers that is provided by open source and private research teams.
Cisco derives reputation from its Sensor Base: all the IPS, firewall, web proxies, and IronPort gateways that have enrolled. The assigning of reputation scores from 1-10 is done automatically in the Cisco Security Information Operation (SIO), a cloud hosted database of signatures and reputations.
Cisco IPS is available in stand alone appliances IPS 4200 series and in Advanced Inspection and Protection (AIP) Security Service Modules or Security Service Cards (SSM or SSC) in the Cisco ASA 5500 series. Cisco Global Correlation is an update feed of IPS signatures delivered every 3 to 5 minutes for low bad reputations and immediately for any reputation data scored from 8 to 10.
Cisco IPS scores threats from 1 to 10 and in version 7.0 for the Cisco IPS appliances and 8.2 for ASA appliances reputation is used to enhance those scores. However, direct visibility into
HP
TippingPoint is the IPS technology that HP acquired along with 3Com in 2010. The HP
TippingPoint Reputation Digital Vaccine (RepDV) is a product of HP DVLabs. Globally deployed sensors in their ThreatLinQ network as well as customer IPS appliances participate in providing a constant stream of known attacks and misbehavior on the part of IP addresses. A threat score of 1 to 100 is applied and IPS devices receive a constantly updated feed of both IP addresses and domains with associated threat scores. The data base is aged and refreshed quickly (every two hours) which avoids unwarranted black holing of innocent IPs.
The HP TippingPoint RepDV service is the most feature rich reputation service we have
investigated for IPS. In addition to the IP and domain reputations, an administrator can choose to block entire ranges of IP addresses based on country. Feeds are incorporated from numerous sources including open source, SANS, and the ThreatLinQ database. Customers can use the capability to add their own blacklists or modify feeds by whitelisting sources.
Customers also have access to the ThreatLinQ library of threat data to help understand why a particular IP address or domain has received is score. Reputation feeds are tagged with additional information that assists in setting policies. The source of the feed is one such tag so, for instance, one could choose to apply one policy to threats reported by SANS and another policy to an internally generated blacklist.
A critical capability that is rapidly becoming one of the most important functions for IPS devices is the ability to detect and block communication from inside a network to known bad IP addresses. This anti-botnet feature, often called “beaconing detection,” is one of the most powerful tools for countering Advanced Persistent Threats that have managed to infiltrate a network and exfiltrate data to command and control servers of cyber criminals or state sponsored industrial spies.
Juniper Networks
Juiper Networks is another IPS vendor that has incorporated IP reputation into their IPS appliances.
Each deployed appliance can report back to the cloud new suspicious sources of attacks which get incorporated into the threat database and pushed to all appliances that are subscribed to the service.
Juniper's management interface does not provide much visibility into how reputation is applied to come up with risk scores and there is no ability for the administrator to add or change reputation rules.
Toplayer
TopLayer is an IPS and DDoS mitigation vendor. They depend on the SANS Dshield service which collects log data from IDS sensors deployed around the world which TopLayer uses to create a list of IP addresses that are behaving poorly and then provides a feed to its IPS 5500 ap-pliances.
Customers can choose to block traffic from those IPS addresses. This provides the benefit of improving performance by reducing the amount of traffic the IPS has to inspect. Threat scores are not created so the service is binary in nature; either allow or deny with no in-herent ability to provide better judgement to IPS decisions, thus it is not a full implementation of IPS reputation services.
McAfee
McAfee’s IPS product is the Network Security Platform. It is an in-line appliance based on the technology acquired when they purchased Intruvert. McAfee has incorporated reputation services derived from their Global Threat Intelligence network connection reputation service.
Data is collected from a global network of participating devices and assigned a threat score based on as-sociation with bad behavior such as participation in a botnet or DDoS attack. IPS administrators can use these threat scores to determine what action to take based on policy.
McAfee shares with TippingPoint the ability to block communication to Command and Control servers by Advanced Persistent Threats.
IBM
IBM ISS global filter database is one of the largest environments for cataloging and ranking the reputations of domains, URLs, and malicious content. It is comprised of over 1,000 clustered CPUs. It combines web crawling with open source lists as well as custom lists created from input from their X-Force research team. Customers can elect to set their IBM security products to report unclassified URLs too. The core technology of the global filter database was acquired by ISS in 2004 with the purchase of the German company Cobion, an early innovator in the automatic classification of web sites.
The reputation data base sends updates to IBM Security’s web and email filtering products.
While the IBM Security IPS products, which are stand alone IPS appliances, do not receive these updates, the IBM Proventia Multifunction Security Appliance does. The reputation scores are used to block spam and update the URL Content Filtering services of this UTM device.
CRITICAL FEATURES OF REPUTATION ENHANCED IPS
As reputation becomes recognized as a game changing way to enhance the efficiency, reliability, and effectiveness of IPS products IT-Harvest has identified the following components of best in class use of reputation for IPS.
Reputation intelligence gathered from customer networks. IPS appliance vendors have the opportunity to collect reputation from their deployed base. The size and distribution of that base is key to feeding the reputation database and enhancing negative reputation scores. Customer networks see real attacks coming from malicious source IP addresses. This capability, by a vendor, is much more effective than web crawlers or honey pots.
Feeds from 3rd parties. There are many open source lists of malicious hosts, and command and control servers, such as: Spamhous, the Domain Name System Real-time Black List, and ShadowServer.org. A key feature is the ability to accept feeds from these organizations into the IPS reputation service.
Policy based on reputation score. Every IPS needs tuning based on the types of assets being protecting within an organization as well as the types of services and attacks that need to be allowed or denied. Setting policy based on a the scoring provided by the reputation service enhances the administrator’s ability to eliminate false positives and ensure blocking of as much suspicious traffic as possible.
Knowledgebase. It is valuable to understand the reputation scores of individual attack sources.
The vendors should make it easy to navigate their knowledgebase in order for the administrator to have full knowledge of the reason a particular score is assigned.
Customer blacklists/whitelists. Every environment will encounter special use cases where wither adding particular IP addresses (black listing) or allowing IP addresses (whitelisting) is required. This level of customization is required to enhance the usability of reputation services.
CONCLUSION
An effective reputation service must have three primary qualities to enhance IPS catch rates, and throughputs. First is the quality and number of deployed sensors that capture and report attack sites. Second is the research and automation that turns those reports into a stream of constantly updated sources. Finally is the management interface that allows flexibility in applying reputation.
From our investigation of available data HP Networking's TippingPoint IPS solution makes the best use of IPS reputation.
REFERENCES
IBM ISS global filter database content analysis technology
http://www.ibm.com/common/ssi/fcgi-bin/ssialias?infotype=SA&subtype=WH&appname=GTSE_GT_GT_USEN&html fid=GTW03026USEN&attachment=GTW03026USEN.PDF
IBM Security Network Intrusion Prevention System data sheet
http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=PM&subtype=SP&appname=SWGE_WG_WG_USEN&ht mlfid=WGD03002USEN&attachment=WGD03002USEN_HR.PDF
Spam realtime black lists. http://netwinsite.com/surgemail/help/rbl.htm
Shadowserver.org http://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/Mission
NASDAQ Director’s Desk exploit. http://nakedsecurity.sophos.com/2011/02/06/nasdaq-reports-hackers-broke-into- serv-ers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+
Security+-+Sophos%29
FEATURE CISCO JUNIPER McAFEE IBM TopLayer HP
Intel from own
devices
D D D D D
Feeds from
3rd parties
D D D D D
Policy based on reputation
score
D D D
Knowledge
base
D D D D
Customer black listing/
white listing