So far in this series, Justin and I have provided tips for securing the foundations of your AWS deployment. Taken together, these tips work to reduce the overall attack surface—the area exposed to the outside world—of your application. Now it’s time to add the next layer of controls to you application, starting with a host-based intrusion prevention system or IPS.
At this point we’ve already disabled unused services on our instances and have blocked any unnecessary inbound ports using our firewalls. This is a fantastic start but it really only reduces the area we present to the outside world. We’re still exposing our application to traffic that arrives on any port that we’ve allowed through the firewall.
If we take a web server as an example, we’ve still enabled inbound connections on port 80 and 443. There’s a lot you can send over HTTP(S) to try and crash an application or exploit a vulnerability in the server’s OS. We need to take steps to protect this pathway into our application.
That’s where an IPS comes in.
How Does It Work?
Think of IPS as quality control for your network traffic. An IPS monitors incoming traffic and will try to actively prevent any intrusion it detects.
As traffic passes through, it looks to make sure that it’s following the rules. Is the packet well formed (e.g., does it conform to RFC specifications)? Is the packet in sequence? Is it the start of an attack?
During this analysis, the IPS will make a decision about the traffic. Should it be allowed to continue on through or should it be dropped immediately?
For our web server example, the IPS will scan permitted traffic and–in addition to protocol anomalies–it would look for attacks such as; SQL injection, cross-site scripting, attacks targeted towards the servers OS, and others. If it found any, the traffic would be dropped immediately…no harm done. If nothing was found, the request would continue on as normal.
Green, Amber, Red
If you want a simple way of remembering where IPS fits into your defences, think of driving in your city.
The policies you define for your firewalls are the signs and lights along the roads that tell drivers what is permitted or prohibited in that area.
They control the flow of traffic throughout the city. But as we all know, street signs are critical but not infallible. Sometimes people ignore them, don’t understand them, or don’t see them at all.
A host-based IPS is the police officer on patrol making sure the streets are safe. The IPS is looking for specific violations of the posted signs and when it finds them, puts a stop to them.
The IPS provides a level of protection that goes beyond reducing the attack surface. It’s actively looking for the correct behaviour within the permitted traffic.
Do you have any tips or tricks on running or maintaining an host-based IPS? Please share! And if you’re interested in securing your EC2 or VPC instances check out our new Deep Security as a Service for cloud servers, currently in free Beta.