Intrusion Prevention System (IPS): Your first line of defense against malware
What is IPS?
Intrusion Prevention System (IPS) is a proactive protection technology that provides security at the network level. It is the first line of defense against malware.
There is sometimes confusion between an IPS and a firewall. Personal firewalls are more basic, making allow/deny decisions to ensure that only “selected” programs are allowed to interact over the internet. Firewalls also block network communication on non-standard ports, which are generally not used by legitimate programs and services. On the other hand, an IPS goes one step further, and examines all network traffic that is allowed through the firewall.
We can demonstrate the difference between firewalls and IPS by using the real world example of airport security. Airline officials and security officers confirm the identity of people traveling. They only allow people with proper identification and tickets to pass the checkpoint and proceed towards the gates. On your PC, the personal firewall provides the same function – either allowing “unscreened” traffic or blocking it. Back at the airport, baggage screeners and X-Ray machines make sure that authorized travelers do not carry dangerous items to the gate or onto an airplane. Similarly, the IPS engine’s role in the Norton security suite is to carefully examine the traffic that the firewall has already allowed.
In the past, Intrusion Prevention Systems simply protected against operating system (OS) threats, or denial of service (DOS) and distributed denial of service (DDOS) attacks. These threats exploited vulnerabilities that were mostly in the OS network stack and services. Over the past few years, these OS components have become more robust. So has the threat decreased?
Why is the IPS engine in Norton products so important?
Each year, PC use becomes increasingly centered on online activity, and that means more reliance on web browsers and their plug-ins to interact with sites and services. This has created a golden opportunity for the “bad guys” to move their attacks from the OS to exploiting vulnerabilities in applications. Now they are more likely to target your web browser, document viewers, media players, etc.
With the state of website security across the globe being so poor, the “bad guys” have had an easy time compromising websites and waiting for users to visit. As a result, users are being served malware by visiting not just “dodgy” sites, but very legitimate sites. A recent report from Symantec’s MessageLabs, a leading SaaS email and web-security provider, showed that in March of 2009, 85% of malware detected was hosted by a site that had been operational for at least a year.
In some cases, users are getting infected after being lured into visiting “bad” sites through means of social engineering scams. Fake e-mail from friends, the bank, messages on social networking sites and “malvertisements” are all examples of how unsuspecting users can be driven to these dangerous compromised sites.
To combat these changing threats, the IPS Engine in Norton products has the smarts to protect the vulnerabilities that the bad guys target. In addition to scanning all network traffic, the IPS engine has specific browser protection for today’s most popular browsers.
Won’t I be safe with updated signatures alone?
Stopping a threat “in flight”, at the network level, is extremely effective because it blocks the threat before it ever lands on the system. It is much more expensive to clean a threat once it hits the disk or application memory. Core technologies like Antivirus engines (AV), only get a chance to clean these threats when they hit the disk. Sometimes clean removal or quarantine is difficult as these threats try to rapidly increase their footprint on the system by morphing or injecting into other legitimate processes. Some web applications stream data from external web servers and directly deliver it to users. In these cases, technologies like AV aren’t the right tool, which is why additional protection via IPS is so important.
How does the Norton IPS engine work?
Applications that interact over the Internet can have vulnerabilities. Generally, vendors release patches to address these vulnerabilities as they are discovered. Unfortunately, for various reasons, millions of users don’t run fully patched system, and when they download or stream a document, media file or simple HTML page on an un-patched system, they can be compromised. These exploits, when successful, can also cause (even more) malware to be downloaded, making the problem worse.
The Norton IPS engine patches holes in these vulnerable systems by scanning network traffic for patterns that exploit vulnerabilities. One IPS signature for a particular vulnerability can protect against many variants of exploits and so they are very scalable in their defense.
Norton users running IPS get definition updates with new signature content on a regular basis.
If I run a fully patched system, do I need IPS?
Yes. Vendors typically take anywhere from a few days to a few weeks to release patches for new vulnerabilities in their products. Not all products have an auto-update feature to download new patches as soon as they are available. In some cases, updating to a new patch/version causes incompatibility with other software on the system and prevents users from updating. Practically speaking, there is almost always a window of time when even the most advanced or savvy users are running a system without fully patched software.
The IPS engine from Norton can protect users during these “windows of opportunity” for the bad guys. Symantec’s Technology and Response team works 24/7 and can quickly release updates to Norton products to “virtually patch” critical vulnerabilities.
What is new for IPS in Norton 2010?
When updating the Norton 2009 family of products, the IPS engine was completely redesigned and we made tremendous improvements in performance and protection. Since the IPS engine has to monitor ALL network activity, it can be resource intensive. For the upcoming Norton 2010 products, we are continuing to make improvements based on the changing threat landscape while maintaining our parallel focus on performance:
- Browser protection has been beefed up to protect against a larger range of threats.
- The IPS engine now collaborates more with other protection technologies in the Norton products which means that we are now more effective in neutralizing threats based on IPS detections, as compared to just blocking their network activity.
When it comes to providing the best protection possible, you can’t rely on a single technology because there isn’t a single threat. Norton’s Intrusion Prevention System is a critical component that is able to detect and block malicious attacks before they ever reach the hard drive or memory of your PC.