Little Learn: Overview of Intrusion Prevention (14)

Malware is the most common security threat, and includes viruses, worms, botnets, rootkits, Trojans, backdoor programs, vulnerability exploit programs, and wap malicious programs. Besides malware, the impact of greyware is increasing and security threats correlated to crimes have been critical to network security.

Instead of facing only virus attacks, users now have to fend off combinations of network threats, including viruses, hacker intrusions, Trojan horses, botnets, and spyware. Current defense mechanisms struggle to mitigate such attacks.

Vulnerabilities lead to severe security risks:

Application software running on the enterprise intranet may have vulnerabilities.
The Internet helps vulnerabilities in application software spread rapidly.
Worms spread by exploiting application software vulnerabilities, consuming network bandwidth and damaging important data.
Hackers and malicious employees target vulnerabilities to intrude into enterprise servers and tamper with, destroy, or steal confidential information.

DDoS attacks:

There is now a global black industry chain based on DDoS attacks that has the aim of financial gain. Also, there is a huge number of botnets on networks.
DDoS attacks may be launched for blackmail or disrupting competitors.
DDoS attacks will occupy bandwidth to bring the network down and exhaust server resources to prevent the server from responding to user requests or to crash the system, ultimately causing services to fail.

A virus is a type of malicious code that infects or attaches to application programs or files and spreads through protocols, such as email or file sharing protocols, threatening the security of user hosts and networks.

Viruses perform various types of harmful activities on infected hosts, such as exhausting host resources, occupying network bandwidth, controlling host permissions, stealing user data, and even corrupting host hardware.

Virus and malware:

Viruses, Trojan horses, and spyware invade an intranet mainly through web browsing and mail transmission.
Viruses can crash computer systems and tamper with or destroy service data.
Trojan horses enable hackers to steal key information on computers as well as crash them. Spyware collects, uses, and transmits sensitive information on enterprise employees, disturbing normal services.
It's difficult for desktop antivirus software to globally prevent the outbreak of viruses.

Typical intrusions:

Tampering with web pages
Cracking system passwords
Copying and viewing sensitive data
Obtaining user passwords using network sniffing tools
Accessing servers without authorization
Obtaining raw packets with special hardware
Implanting Trojan horses in hosts

In the security system, the intrusion detection system (IDS) takes on the same role as a surveillance camera. It monitors and analyzes traffic across key nodes in the information system, and learns of ongoing security events. The system administrator can use the IDS to obtain and analyze the traffic of key nodes for discovering and reporting anomalies and suspicious network behaviors.

Intrusion detection inspects various operations as well as analyzing and auditing data and phenomena to detect intrusion behaviors in real time. It is a proactive and dynamic security defense technology that covers various authorized and unauthorized intrusion behaviors.

The IDS can immediately start relevant security mechanisms once detecting security policy violation behaviors or evidence that the system is being attacked.

Firewalls and IDS:

Firewalls are usually deployed in serial mode and are capable of rapid forwarding but not in-depth detection.
Firewalls can neither correctly analyze malicious code in application data flows nor detect malicious operations or misoperations of intranet users.
Firewalls perform coarse-grained access control, whereas the IDS provides finegrained detection, allowing the administrator to monitor the live network even more accurately.
The IDS can interwork with a firewall and switch to serve as a helpful assistant of the firewall for controlling interzone access.
The IDS can be manually or automatically updated, and its policies can be easily configured.

The IPS has the following technical features:

Real-time blocking: The IPS detects and blocks network attacks in real time, whereas the IDS can only detect attacks. Therefore, the IPS improves system security to the maximum extent.
Self-learning and self-adaptation: The IPS minimizes the rate of false negatives and false positives through self-learning and self-adaptation to reduce the impact on services.
User-defined rules: The IPS supports the customization of intrusion prevention rules to give the best possible response to the latest threats.
Service awareness: The IPS can detect exceptions or attacks at the application layer.
Zero-configurations to go online: The system provides a default intrusion prevention security profile that can be directly referenced.

Intrusion log information includes: virtual system, hit security policy, source and destination addresses, source and destination ports, source and destination Zones, user, protocol, application, hit intrusion prevention security profile, signature name, signature sequence number, event count, intrusion target, intrusion severity, operating system, signature category, and signature action. Of these, the following are particularly important:

Profile: Hit intrusion security profile.
Threat name: IPS signatures describe attack behavior features. The firewall compares the features of packets with the signatures to detect and defend against attacks.
Event count: The field is used for merging logs. Whether logs are merged is determined by the merge frequency and conditions. The value is 1 if logs are not merged.
Intrusion target: Indicates the attack target of a packet detected based on the signature, which can be:

server: The attack target is the server.
client: The attack target is the client.
both: The attack targets are the server and client.

Intrusion severity: Indicates the severity of the attack caused by the packet detected based on the signature, which can be:

Information
Low
Medium
High

Operating system: Indicates the operating system attacked by the packet detected based on the signature, which can be:

All: all systems
Android
iOS
Unix-like
Windows
Other: other systems

Signature category: Indicates the threat category to which the packet attack detected based on the signature belongs.

Signature action, which can be:

Alert
Block

Ways of categorizing computer viruses:

By functions of malicious code: virus, worm, and Trojan horse
By transmission mechanisms: mobile media, network sharing, network scanning, email, and P2P network
By infected objects: operating system, application, and device
By carriers: executable file, script, macro, and boot area

The relationships between viruses, worms, and Trojan horses are as follows:

A virus is a segment of malicious code that is parasitic on a normal program. When a user enables the normal program, the virus is also started, damaging the system's file system.
A worm is a variant of the virus. It is an independent entity that does not need to be parasitic. It can replicate itself and spread by exploiting system or intentional vulnerabilities, impacting the performance of the entire network and the computer system even more severely.
A Trojan horse is a kind of malicious code that is parasitic by nature, and is extremely covert. Hackers can usually control a host through a Trojan horse and make the host become a zombie. In addition, a Trojan horse can be used to monitor and obtain key information of a victim, such as a bank account password.

When we talk about using an antivirus, we are referring to the mitigation of malicious code.

Single-device antivirus can be implemented by installing antivirus software or professional antivirus tools. Virus detection tools detect malicious code, such as viruses, Trojan horses, and worms. Some detection tools can also provide the recovery function. Norton Antivirus from Symantec is a common antivirus software program, and the Process Explorer (see figure) is a professional antivirus tool.

Network antivirus technology refers to deploying antivirus policies on a security gateway.

Antivirus is used for network security in the following scenarios:

Intranet users can access the Internet and need to frequently download files from the Internet.
Servers deployed on the intranet need to frequently receive files uploaded by Internet users.

As shown in the figure, the NIP serves as a gateway device that isolates the intranet from the Internet. There are user PCs and a server on the intranet. Intranet users can download files from the Internet, and Internet users can upload files to the intranet server. To secure the files to be uploaded or downloaded, the antivirus function should be configured on the NIP.

After the antivirus function is configured, the NIP only permits secure files to be transferred into the intranet. If a virus is detected in a file, the NIP applies the action, such as block or alert, to the file.

Currently, device vendors (including UTM and AVG) provide two antivirus scanning modes: proxy scanning and flow scanning.

A proxy antivirus gateway performs more advanced operations, such as decompression and unpacking, with a high detection rate. However, performance and system overheads are large because all files are cached.
A flow antivirus gateway has high performance and low system overhead but low detection rate, failing to cope with shelled and compressed files.

The intelligent awareness engine (IAE) carries out in-depth analysis into network traffic to identify the protocol type and file transfer direction.

Checks whether antivirus supports this protocol type and file transfer direction.

The firewall performs virus detection for files transferred using the following protocols:

File Transfer Protocol (FTP)
Hypertext Transfer Protocol (HTTP)
Post Office Protocol - Version 3 (POP3)
Simple Mail Transfer Protocol (SMTP)
Internet Message Access Protocol (IMAP)
Network File System (NFS)
Server Message Block (SMB)

The firewall supports virus detection for files that are:

Uploaded: Indicates files sent from the client to the server.
Downloaded: Indicates files sent from the server to the client.

Checks whether the whitelist is matched. The NIP does not perform virus detection on whitelisted files.

A whitelist comprises whitelist rules. You can configure whitelist rules for trusted domain names, URLs, IP addresses, and IP address ranges to improve the antivirus detection rate. A whitelist rule applies only to the corresponding antivirus profile.

Virus detection:

The IAE extracts signatures of a file for which antivirus is available and matches the extracted signatures against virus signatures in the virus signature database. If a match is found, the file is identified as a virus and processed according to the response action specified in the profile. If no match is found, the file is permitted. When the detection interworking function is enabled, files that do not match the virus signature database are sent to the sandbox for in-depth inspection. If the sandbox detects a malicious file, it sends the file signature to the NIP. The NIP saves the malicious file signature to the local interworking detection cache. If the NIP detects the malicious file again, it will take the action defined in the profile.
Huawei analyzes and summarizes common virus signatures to construct the virus signature database. This database defines common virus signatures, each of which is assigned a unique virus ID. After loading this database, the device can identify viruses defined in the database.

The following describes the firewall’s response after identifying a transferred file as a virus:

The firewall checks whether this virus-infected file matches a virus exception. If so, the file is permitted.
Virus exceptions refer to whitelisted viruses. To prevent file transfer failures resulting from false positives, whitelist virus IDs that users identify as false positives are added to exceptions to disable the virus rules.
If the virus does not match any virus exception, the firewall checks whether it matches an application exception. If so, it is processed according to the response action (allow, alert, or block) for the application exception.
Response actions for application exceptions can be different from those for protocols. Various types of application traffic can be transmitted over the same protocol.
Because of the preceding relationship between applications and protocols, response actions for protocols and applications are configured as follows:

If only the response action for a protocol is configured, all applications with traffic transmitted over this protocol inherit the response action of the protocol.
If response actions are configured for a protocol and the applications with traffic transmitted over the protocol, the response actions for the applications take effect.

If the file matches neither virus exceptions nor application exceptions, the response action corresponding to its protocol and transfer direction specified in the profile is employed.

Actions taken by the firewall when a virus is detected:

Alert: The device permits the virus-infected file and generates a virus log.
Block: The device blocks the virus-infected file and generates a virus log.
Declare: For a virus-infected email message, the device permits it but adds information to the email body to announce the detection of viruses and generates a virus log. This action applies only to SMTP and POP3.
Delete Attachment: The device deletes malicious attachments in the infected email message, permits the message, generates a log, and adds information to the email body to announce the detection of viruses and deletion of attachments. This action applies only to SMTP and POP3.

After a virus is detected by the firewall, you can view the detailed antivirus results in the service log.

After antivirus for HTTP and email protocol is configured, you can view relevant information in the access page or email body

Ref : [1]