Saturday, June 27, 2009

Next Generation Application IPS

Intrusion prevention systems aren't just to protect network devices. An application IPS can protect the application against malicious attackers looking to exploit business logic flaws, execute cross site scripting attacks or perform any of the multitude of possible application attacks.

Unfortunately, current systems just don't measure up. Most intrusion protection systems are designed for networks and application layer detection is an add-on. Sadly the detection normally includes a series of vanilla regexes for SQL injection in the URL parameters. Web Application Firewalls (WAF) aren't much better. The WAF sits outside of the application and has no understanding of business logic for the application. How can a device prevent an attacker from accessing sensitive data if it doesn't understand the app or access controls?

WAF lacks business logic knowledge


The next generation of application IPS will provide protection by deeply integrating into the application itself. This integration allows the IPS to understand if a user's actions are malicious because the IPS will know what is allowed for this application. This comprehension far exceeds normal regular expresion parsing of the HTTP request for dangerous strings. Instead, the IPS works with the application to detect attempts by the user to circumvent security controls, perform unauthorized actions or attempt to inject unexpected or malicious data.


Next generation IPS integrates with application


The "protection" of the IPS will be achieved by the ability to interact with the application to lock user accounts in real time. The application IPS will detect malicious probes by an attacker. When the attacker has crossed a defined threshold of activity, the IPS will react and stop the attacker by locking the account. Most attackers require multiple probes to locate and refine an attack against a vulnerability. The application IPS will detect the attacker and lock them out before any actual damage can be done.



--
More information on:
Next Generation IPS
Blog author Michael Coates
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)