• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

Intrusion Prevention System (IPS): Your first line of defense against malware

What is IPS?


Intrusion Prevention System (IPS) is a proactive protection technology that provides security at the network level. It is the first line of defense against malware.

There is sometimes confusion between an IPS and a firewall. Personal firewalls are more basic, making allow/deny decisions to ensure that only “selected” programs are allowed to interact over the internet. Firewalls also block network communication on non-standard ports, which are generally not used by legitimate programs and services. On the other hand, an IPS goes one step further, and examines all network traffic that is allowed through the firewall.

We can demonstrate the difference between firewalls and IPS by using the real world example of airport security. Airline officials and security officers confirm the identity of people traveling. They only allow people with proper identification and tickets to pass the checkpoint and proceed towards the gates. On your PC, the personal firewall provides the same function – either allowing “unscreened” traffic or blocking it. Back at the airport, baggage screeners and X-Ray machines make sure that authorized travelers do not carry dangerous items to the gate or onto an airplane. Similarly, the IPS engine’s role in the Norton security suite is to carefully examine the traffic that the firewall has already allowed.

In the past, Intrusion Prevention Systems simply protected against operating system (OS) threats, or denial of service (DOS) and distributed denial of service (DDOS) attacks. These threats exploited vulnerabilities that were mostly in the OS network stack and services. Over the past few years, these OS components have become more robust. So has the threat decreased?

Why is the IPS engine in Norton products so important?

Each year, PC use becomes increasingly centered on online activity, and that means more reliance on web browsers and their plug-ins to interact with sites and services. This has created a golden opportunity for the “bad guys” to move their attacks from the OS to exploiting vulnerabilities in applications. Now they are more likely to target your web browser, document viewers, media players, etc.

With the state of website security across the globe being so poor, the “bad guys” have had an easy time compromising websites and waiting for users to visit. As a result, users are being served malware by visiting not just “dodgy” sites, but very legitimate sites. A recent report from Symantec’s MessageLabs, a leading SaaS email and web-security provider, showed that in March of 2009, 85% of malware detected was hosted by a site that had been operational for at least a year.

In some cases, users are getting infected after being lured into visiting “bad” sites through means of social engineering scams. Fake e-mail from friends, the bank, messages on social networking sites and “malvertisements” are all examples of how unsuspecting users can be driven to these dangerous compromised sites.

To combat these changing threats, the IPS Engine in Norton products has the smarts to protect the vulnerabilities that the bad guys target. In addition to scanning all network traffic, the IPS engine has specific browser protection for today’s most popular browsers.

Won’t I be safe with updated signatures alone?

Stopping a threat “in flight”, at the network level, is extremely effective because it blocks the threat before it ever lands on the system. It is much more expensive to clean a threat once it hits the disk or application memory. Core technologies like Antivirus engines (AV), only get a chance to clean these threats when they hit the disk. Sometimes clean removal or quarantine is difficult as these threats try to rapidly increase their footprint on the system by morphing or injecting into other legitimate processes. Some web applications stream data from external web servers and directly deliver it to users. In these cases, technologies like AV aren’t the right tool, which is why additional protection via IPS is so important.

How does the Norton IPS engine work?

Applications that interact over the Internet can have vulnerabilities. Generally, vendors release patches to address these vulnerabilities as they are discovered. Unfortunately, for various reasons, millions of users don’t run fully patched system, and when they download or stream a document, media file or simple HTML page on an un-patched system, they can be compromised. These exploits, when successful, can also cause (even more) malware to be downloaded, making the problem worse.

The Norton IPS engine patches holes in these vulnerable systems by scanning network traffic for patterns that exploit vulnerabilities. One IPS signature for a particular vulnerability can protect against many variants of exploits and so they are very scalable in their defense.

Norton users running IPS get definition updates with new signature content on a regular basis.

If I run a fully patched system, do I need IPS?

Yes. Vendors typically take anywhere from a few days to a few weeks to release patches for new vulnerabilities in their products. Not all products have an auto-update feature to download new patches as soon as they are available. In some cases, updating to a new patch/version causes incompatibility with other software on the system and prevents users from updating. Practically speaking, there is almost always a window of time when even the most advanced or savvy users are running a system without fully patched software.

The IPS engine from Norton can protect users during these “windows of opportunity” for the bad guys. Symantec’s Technology and Response team works 24/7 and can quickly release updates to Norton products to “virtually patch” critical vulnerabilities.

What is new for IPS in Norton 2010?

When updating the Norton 2009 family of products, the IPS engine was completely redesigned and we made tremendous improvements in performance and protection. Since the IPS engine has to monitor ALL network activity, it can be resource intensive. For the upcoming Norton 2010 products, we are continuing to make improvements based on the changing threat landscape while maintaining our parallel focus on performance:

- Browser protection has been beefed up to protect against a larger range of threats.
- The IPS engine now collaborates more with other protection technologies in the Norton products which means that we are now more effective in neutralizing threats based on IPS detections, as compared to just blocking their network activity.

Summary

When it comes to providing the best protection possible, you can’t rely on a single technology because there isn’t a single threat. Norton’s Intrusion Prevention System is a critical component that is able to detect and block malicious attacks before they ever reach the hard drive or memory of your PC.

(view in My Videos)

Comments

Kudos0

Hello,

I have posted my reply on those questions on the forum a while ago. We will be fixing the IPS - FF 3.5.1 incompatibility issue with the NIS/NAV release for  Windows 7. Stay tuned for updates on the details of that release.

At the same time, be assured that you still have pretty good protection without the Firefox IPS plug-in. As I have said in my post on the forum, we have many layers of protection in our IPS technology and one of it is the browser based plug-in. Our other detection engines will sufficiently cover for threats and the user exposure is very limited to none

Without giving away too many internal details, we need presence in the browser for certain threats we can't effectively detect with other methods. These threats use various evasion techniques that make them difficult to catch by other means. Browser plug-in is one of the shilds we have in our product to protect users from Malware.
Kudos0

Ameya,

Your IPS write-up, which I find quite interestion (being new to IPS) was referred to in the below posting/link.  If you read this, please consider visiting this thread .. and give your comments.  I raised some question on how to remove/reinstall IPS 2.0 on Firefox 3.6.3, should I so choose, which nobody could (or wanted to ) answer. Thanks in advance!  CeeBee

http://community.norton.com/t5/Norton-Internet-Security-Norton/Norton-IPS-2-0-Extension-on-Firefox-3-6-3/td-p/234332

Kudos0

Hi Ameya...

Just wonderin, because as I know there are a lot of Norton program that has this IPS(intrusion prevention system) feature.. I just want to know if this feature can prevent those malware which are available online, wherein these malware just enter to your computer without you knowing it just like Personal Security and Malware Defense which I know that these are fraud security softwares... Thanks...

Kudos0

Hi Ameya,

I have a question with regards to IPS. Currently, Firefox 3.6 does not support the NIS 2010 IPS. I was wondering if it was advisable for users to update to Firefox 3.6 or should they stick with their current version? Would the incompability of the IPS result in computers being more vulnerable to attacks?

Kudos0

Hi Ameya,

There has recently been a lot of discussion in the Norton Forums concerning the Norton IPS 1.0 add-on in Firefox which is currently not compatible with Firefox 3.5.1.  My question is:  what is the purpose of having browser-specific IPS add-ons?  Is there some added functionality or tactical advantage to be gained that would not be available through the general system IPS protection alone?  I'm just unclear on what the IPS browser add-on does that is not already being provided by the system IPS protection.

SendOfJIve

Kudos0

Thanks Ameya,

I really was not looking for more information on the incompatibility issue, which, as you note, has plenty of coverage in the forums.  It was really more of a general technical question as to how a browser IPS plugin would increase protection over a system IPS feature alone.  I was just curious as to the properties of the add-on that would make it something other than a redundant IPS component.  Your answer has given me a better understanding of this.  Thanks.

SendOfJive