IPS devices protect networks from malicious traffic by sitting inline with the network traffic. Based on rules set by the administrator, the IPS looks for anything suspicious and flags it to a reporting device such as a security information event management (SIEM) appliance. Unlike an intrusion detection device (IDS), the IPS sits in the network traffic flow (IDS devices are usually used as a network tap) and can thwart attacks by:
- Terminating the user connection.
- Blocking access to the target.
- Blocking access to a resource based on the user account, IP address or other characteristic.
IPS devices can also modify the policies and rules of other devices such as routers and firewalls, as well as apply patches or remove properties such as email attachments.
What is Next Generation IPS?
With virtualization and cloud, there is a big push of new IDS/IPS devices, called “NGIPS” or “Next Generation IPS”. These devices take into consideration the traffic from sources such as web applications, which can disguise malicious traffic as other files. This is why there is an influx of NGIPS solutions from manufacturers such as SonicWALL, Sourcefire, Check Point and IBM.
Gain Visibility into Any Resource
These companies are also using hypervisor APIs to develop solutions that do deep inspections in both virtualized and cloud environments. These paravirtualized IPS devices tap into the hypervisor layer and look for abnormalities that affect not just inter-VM network traffic, but also discrepancies in system usage and resource utilization.
Should an unauthorized event such as the creation of a virtual NIC that connects two adjacent VMs be detected, the event will be prevented and any connected SIEMS device will note the issue. This provides visibility into the underlying workings of a virtual environment, something that until recently has not been possible with the exception of management information which fed into the virtual platform reporting system. This is critical, as it allows environments with security requirements to gain visibility into any resource (virtualized or otherwise) that contains business critical information.
As cloud and virtualized environments become more distributed and shared, the ability to verify that these VMs are protected through the implementation of an IPS device (among other security controls) is paramount. It not just proves to auditors that your resources are protected, but also ensures that all network traffic and inter-VM behavior can be monitored from an internal visibility perspective. This will help with both the analysis of your current security posture, as well as forensic analysis should a security or network incident occur.
What about you? What are your thoughts on how IPS devices can protect virtualized environments? Feel free to share your comments below.