• 欢迎访问速搜资源吧,如果在网站上找不到你需要的资源,可以在留言板上留言,管理员会尽量满足你!

【速搜问答】入侵防御系统是什么

问答 admin 3年前 (2020-08-10) 538次浏览 已收录 0个评论

汉英对照:
Chinese-English Translation:

入侵防御系统(IPS)是电脑网络安全设施,是对防病毒软件和防火墙的补充。 入侵防御系统是一部能够监视网络或网络设备的网络资料传输行为的计算机网络安全设备,能够及时的中断、调整或隔离一些不正常或是具有伤害性的网络资料传输行为。 入侵防御系统(IPS: Intrusion Prevention System)是电脑网络安全设施,是对防病毒软件(Antivirus Programs)和防火墙(Packet Filter, Application Gateway)的补充。 入侵防御系统(Intrusion-prevention system)是一部能够监视网络或网络设备的网络资料传输行为的计算机网络安全设备,能够及时的中断、调整或隔离一些不正常或是具有伤害性的网络资料传输行为。

Intrusion prevention system (IPS) is the computer network security facilities, is the complement of anti-virus software and firewall. Intrusion prevention system is a computer network security equipment which can monitor the network data transmission behavior of network or network equipment. It can timely interrupt, adjust or isolate some abnormal or harmful network data transmission behavior. Intrusion prevention system (IPS) is a computer network security facilities, is the complement of anti-virus programs and firewall (packet filter, application gateway). Intrusion prevention system (IDS) is a computer network security device which can monitor the network data transmission behavior of network or network equipment. It can timely interrupt, adjust or isolate some abnormal or harmful network data transmission behavior.

概念

concept

( Intrusion Prevention System)是电脑网络安全设施,是对防病毒软件(Antivirus Programs)和防火墙(Packet Filter, Application Gateway)的补充。 入侵预防系统(Intrusion-prevention system)是一部能够监视网络或网络设备的网络资料传输行为的计算机网络安全设备,能够即时的中断、调整或隔离一些不正常或是具有伤害性的网络资料传输行为。

(Intrusion Prevention System) is a computer network security facilities, is the complement of anti-virus software (antivirus programs) and firewall (packet filter, application gateway). Intrusion prevention system (IDS) is a computer network security device which can monitor the network data transmission behavior of network or network equipment. It can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behavior.

网络安全

network security

随着电脑的广泛应用和网络的不断普及,来自网络内部和外部的危险和犯罪也日益增多。20 年前,电脑病毒主要通过软盘传播。后来,用户打开带有病毒的电子信函附件,就可以触发附件所带的病毒。以前,病毒的扩散比较慢,防毒软体的开发商有足够的时间从容研究病毒,开发防病毒、杀病毒软件。而今天,不仅病毒数量剧增,质量提高,而且通过网络快速传播,在短短的几小时内就能传遍全世界。有的病毒还会在传播过程中改变形态,使防毒软件失效。

With the wide application of computers and the continuous popularization of networks, the dangers and crimes from inside and outside the network are also increasing. Twenty years ago, computer viruses spread mainly through floppy disks. Later, the user opens the e-mail attachment with a virus, and the virus in the attachment can be triggered. In the past, the spread of viruses was relatively slow, and the developers of anti-virus software had enough time to study the virus calmly and develop anti-virus and anti-virus software. Today, not only the quantity and quality of the virus is increasing rapidly, but also it can spread all over the world in a few hours. Some viruses will also change the form in the process of transmission, making the anti-virus software invalid.

目前流行的攻击程序和有害代码如 DoS (Denial of Service 拒绝服务),DDoS (Distributed DoS 分布式拒绝服务),暴力拆解(Brut-Force-Attack),端口扫描(Portscan),嗅探,病毒,蠕虫,垃圾邮件,木马等等。此外还有利用软件的漏洞和缺陷钻空子、干坏事,让人防不胜防。

At present, popular attack programs and harmful codes, such as DoS (denial of service), DDoS (distributed DOS), brute force attack (Brut force attack), portscan, sniffer, virus, worm, spam, Trojan, etc. In addition, there are loopholes and defects in the software to exploit loopholes and do bad things, which makes people unable to prevent.

网络入侵方式越来越多,有的充分利用防火墙放行许可,有的则使防毒软件失效。比如,在病毒刚进入网络的时候,还没有一个厂家迅速开发出相应的辨认和扑灭程序,于是这种全新的病毒就很快大肆扩散、肆虐于网络、危害单机或网络资源,这就是所谓 Zero Day Attack。

There are more and more ways of network intrusion, some make full use of firewall permission, some make antivirus software invalid. For example, when the virus just entered the network, no manufacturer had developed the corresponding identification and eradication procedures quickly. As a result, the brand-new virus quickly spread, ravaged the network, and harmed the stand-alone or network resources. This is called zero day attack.

防火墙可以根据 IP 地址(IP-Addresses)或服务端口(Ports)过滤数据包。但是,它对于利用合法 IP 地址和端口而从事的破坏活动则无能为力。因为,防火墙极少深入数据包检查内容。即使使用了 DPI 技术(Deep Packet Inspection 深度包检测技术),其本身也面临着许多挑战。

Firewalls can filter packets based on IP addresses or service ports. However, it can’t do anything to destroy the IP address and port. Firewall, because the content of the packet is rarely checked. Even if DPI (deep packet inspection) technology is used, it also faces many challenges.

每种攻击代码都具有只属于它自己的特征 (signature), 病毒之间通过各自不同的特征互相区别,同时也与正常的应用程序代码相区别。杀毒软件就是通过储存所有已知的病毒特征来辨认病毒的。

Each attack code has its own signature. Viruses are different from each other through their own characteristics, and also different from normal application code. Antivirus software identifies viruses by storing all known virus features.

在 ISO/OSI 网络层次模型(见 OSI 模型) 中,防火墙主要在第二到第四层起作用,它的作用在第四到第七层一般很微弱。而除病毒软件主要在第五到第七层起作用。为了弥补防火墙和除病毒软件二者在第四到第五层之间留下的空档,几年前,工业界已经有入侵侦查系统(IDS: Intrusion Detection System)投入使用。入侵侦查系统在发现异常情况后及时向网络安全管理人员或防火墙系统发出警报。可惜这时灾害往往已经形成。虽然,亡羊补牢,尤未为晚,但是,防卫机制最好应该是在危害形成之前先期起作用。随后应运而生的入侵响应系统(IRS: Intrusion Response Systems) 作为对入侵侦查系统的补充能够在发现入侵时,迅速作出反应,并自动采取阻止措施。而入侵预防系统则作为二者的进一步发展,汲取了二者的长处。

In the ISO / OSI network hierarchy model (see OSI model), firewall mainly works in the second to fourth layers, and its role in the fourth to seventh layers is generally weak. The virus removal software mainly works in the fifth to seventh layers. In order to make up for the gap between firewall and antivirus software, IDS (Intrusion Detection System) has been put into use in industry several years ago. The intrusion detection system sends out an alarm to the network security manager or firewall system in time after finding the abnormal situation. Unfortunately, disasters have often taken shape. Although it is not too late to mend the loophole, it is better for the defense mechanism to work in advance before the formation of the harm. As a supplement to the intrusion detection system, intrusion response systems (IRS) can react quickly and take preventive measures automatically when intrusion is found. As the further development of the two, intrusion prevention system has drawn the advantages of both.

入侵预防系统也像入侵侦查系统一样,专门深入网络数据内部,查找它所认识的攻击代码特征,过滤有害数据流,丢弃有害数据包,并进行记载,以便事后分析。除此之外,更重要的是,大多数入侵预防系统同时结合考虑应用程序或网络传输中的异常情况,来辅助识别入侵和攻击。比如,用户或用户程序违反安全条例、数据包在不应该出现的时段出现、作业系统或应用程序弱点的空子正在被利用等等现象。入侵预防系统虽然也考虑已知病毒特征,但是它并不仅仅依赖于已知病毒特征。

Like the intrusion detection system, intrusion prevention system (IPS) goes deep into the network data to find the attack code features it knows, filter the harmful data stream, discard the harmful data packets, and record them for later analysis. In addition, more importantly, most intrusion prevention systems consider the abnormal situation in the application or network transmission to assist in the identification of intrusion and attack. For example, users or user programs violate security regulations, packets appear at a time when they shouldn’t, and vulnerabilities of operating systems or applications are being exploited. Although intrusion prevention system also considers the characteristics of known viruses, it does not only rely on known virus features.

应用入侵预防系统的目的在于及时识别攻击程序或有害代码及其克隆和变种,采取预防措施,先期阻止入侵,防患于未然。或者至少使其危害性充分降低。入侵预防系统一般作为防火墙 和防病毒软件的补充来投入使用。在必要时,它还可以为追究攻击者的刑事责任而提供法律上有效的证据 (forensic)。

The purpose of the application of intrusion prevention system is to identify the attack program or harmful code and its clones and variants in time, and take preventive measures to prevent the invasion in advance. Or at least make it less harmful. Intrusion prevention system is generally used as a supplement to firewall and anti-virus software. When necessary, it can also provide legally valid evidence for investigating the criminal responsibility of the attacker.

产生原因

Causes

A:串行部署的防火墙可以拦截低层攻击行为,但对应用层的深层攻击行为无能为力。

A: The serial deployed firewall can intercept the low-level attacks, but it can’t do anything to the deep-seated attacks in the application layer.

B:旁路部署的 IDS 可以及时发现那些穿透防火墙的深层攻击行为,作为防火墙的有益补充,但很可惜的是无法实时的阻断。

B: IDS deployed by the bypass can detect those deep attacks that penetrate the firewall in time, as a useful supplement to the firewall, but unfortunately it can’t be blocked in real time.

C:IDS 和防火墙联动:通过 IDS 来发现,通过防火墙来阻断。但由于迄今为止没有统一的接口规范,加上越来越频发的“瞬间攻击”(一个会话就可以达成攻击效果,如 SQL 注入、溢出攻击等),使得 IDS 与防火墙联动在实际应用中的效果不显著。

C: IDS and firewall linkage: through IDs to find, through the firewall to block. However, due to the lack of unified interface specification and the more frequent “instant attacks” (one session can achieve the attack effect, such as SQL injection, overflow attack, etc.), the effect of IDS and firewall linkage in practical application is not significant.

这就是 IPS 产品的起源:一种能防御防火墙所不能防御的深层入侵威胁(入侵检测技术)的在线部署(防火墙方式)安全产品。由于用户发现了一些无法控制的入侵威胁行为,这也正是 IDS 的作用。

This is the origin of IPS products: an online deployment (firewall mode) security product that can defend against deep intrusion threats (Intrusion Detection Technology) that firewalls can’t defend. As users find some uncontrollable intrusion threats, this is exactly the role of IDS.

入侵检测系统(IDS)对那些异常的、可能是入侵行为的数据进行检测和报警,告知使用者网络中的实时状况,并提供相应的解决、处理方法,是一种侧重于风险管理的安全产品。

Intrusion detection system (IDS) is a kind of security product which focuses on risk management by detecting and alarming the abnormal and possibly invasive data, informing users of the real-time situation in the network and providing corresponding solutions and processing methods.

入侵防御系统(IPS)对那些被明确判断为攻击行为,会对网络、数据造成危害的恶意行为进行检测和防御,降低或是减免使用者对异常状况的处理资源开销,是一种侧重于风险控制的安全产品。

Intrusion prevention system (IPS) is a kind of security product which focuses on risk control. It detects and defends malicious behaviors that are clearly judged as attacks and will harm the network and data, and reduces or reduces the user’s processing resource cost for abnormal conditions.

这也解释了 IDS 和 IPS 的关系,并非取代和互斥,而是相互协作:没有部署 IDS 的时候,只能是凭感觉判断,应该在什么地方部署什么样的安全产品,通过 IDS 的广泛部署,了解了网络的当前实时状况,据此状况可进一步判断应该在何处部署何类安全产品(IPS 等)。

This also explains the relationship between IDs and IPS, not replacement and mutual exclusion, but mutual cooperation: when IDS is not deployed, we can only judge by feeling where we should deploy what kind of security products. Through the extensive deployment of IDS, we can understand the current real-time situation of the network, and then we can further judge where to deploy what kind of security products (IPS, etc.) should be deployed.

入侵预防技术

Intrusion Prevention Technology

* 异常侦查。正如入侵侦查系统, 入侵预防系统知道正常数据以及数据之间关系的通常的样子,可以对照识别异常。

*Abnormal investigation. Just like the intrusion detection system, the intrusion prevention system knows the normal data and the normal appearance of the relationship between the data, and can identify anomalies by comparison.

* 在遇到动态代码(ActiveX, JavaApplet,各种指令语言 script languages 等等)时,先把它们放在沙盘内,观察其行为动向,如果发现有可疑情况,则停止传输,禁止执行。

*When encountering dynamic code (ActiveX, JavaApplet, various instruction languages, script languages, etc.), first put them in the sand table to observe the behavior trend. If there is any suspicious situation, the transmission will be stopped and the execution is prohibited.

* 有些入侵预防系统结合协议异常、传输异常和特征侦查,对通过网关或防火墙进入网络内部的有害代码实行有效阻止。

*Some intrusion prevention systems combine protocol anomaly, transmission anomaly and feature detection to effectively prevent harmful code entering the network through gateway or firewall.

* 核心基础上的防护机制。用户程序通过系统指令享用资源 (如存储区、输入输出设备、中央处理器等)。入侵预防系统可以截获有害的系统请求。

*Protection mechanism based on the core. User programs enjoy resources (such as memory, I / O devices, CPU, etc.) through system instructions. Intrusion prevention system can intercept harmful system requests.

* 对 Library、Registry、重要文件和重要的文件夹进行防守和保护。

*Defend and protect library, registry, important files and important folders.

系统类型

System type

投入使用的入侵预防系统按其用途进一步可以划分为单机入侵预防系统

The intrusion prevention system can be further divided into stand-alone intrusion prevention system according to its purpose

(HIPS: Hostbased Intrusion Prevension System)和网络入侵预防系统

(hips: host based Intrusion Prevention System) and network intrusion prevention system

(NIPS: Network Intrusion Prevension System)两种类型。

(NIPS: Network Intrusion Prevention System).

网络入侵预防系统作为网络之间或网络组成部分之间的独立的硬体设备,切断交通,对过往包裹进行深层检查,然后确定是否放行。网络入侵预防系统藉助病毒特征和协议异常,阻止有害代码传播。有一些网络入侵预防系统还能够跟踪和标记对可疑代码的回答,然后,看谁使用这些回答信息而请求连接,这样就能更好地确认发生了入侵事件。

As an independent hardware device between networks or network components, network intrusion prevention system cuts off the traffic, carries out in-depth inspection of past packages, and then determines whether to release. Network intrusion prevention system can prevent the spread of harmful code by virus characteristics and protocol anomalies. Some network intrusion prevention systems can also track and mark the answers to suspicious code, and then see who uses the answer information to request a connection, which can better confirm that an intrusion has occurred.

根据有害代码通常潜伏于正常程序代码中间、伺机运行的特点,单机入侵预防系统监视正常程序,比如 Internet Explorer,Outlook,等等,在它们(确切地说,其实是它们所夹带的有害代码)向作业系统发出请求指令,改写系统文件,建立对外连接时,进行有效阻止,从而保护网络中重要的单个机器设备,如伺服器、路由器、防火墙等等。这时,它不需要求助于已知病毒特征和事先设定的安全规则。总地来说,单机入侵预防系统能使大部分钻空子行为无法得逞。我们知道,入侵是指有害代码首先到达目的地,然后干坏事。然而,即使它侥幸突破防火墙等各种防线,得以到达目的地,但是由于有了入侵预防系统,有害代码最终还是无法起到它要起的作用,不能达到它要达到的目的。

According to the characteristics of harmful code usually lurking in the middle of normal program code and waiting for the opportunity to run, the stand-alone intrusion prevention system monitors the normal program, such as the Internet Explorer, outlook, and so on, when they send request instructions to the operating system, rewrite system files, and establish external connections, they can effectively block them, so as to protect the important single machine equipment in the network, such as servers, routers, firewalls, etc. In this case, it does not need to resort to known virus characteristics and pre-set security rules. Generally speaking, single machine intrusion prevention system can make most of the loophole behaviors fail. We know that intrusion is when harmful code reaches its destination first and then does something bad. However, even though it is lucky to break through the firewall and other defense lines to reach the destination, due to the intrusion prevention system, the harmful code can not play its role and achieve its purpose.

2000 年:Network ICE 公司在 2000 年 9 月 18 日推出了业界第一款 IPS 产品—BlackICE Guard,它第一次把基于旁路检测的 IDS 技术用于在线模式,直接分析网络流量,并把恶意包丢弃。  2002~2003 年:这段时期 IPS 得到了快速发展。当时随着产品的不断发展和市场的认可,欧美一些安全大公司通过收购小公司的方式获得 IPS 技术,推出自己的 IPS 产品。比如 ISS 公司收购 Network ICE 公司,发布了 Proventia;NetScreen 公司收购 OneSecure 公司,推出 NetScreen-IDP;McAfee 公司收购 Intruvert 公司,推出 IntruShield。思科、赛门铁克、TippingPoint 等公司也发布了 IPS 产品。

On September 18, 2000, network ice company launched BlackICE guard, the first IPS product in the industry. It used IDS technology based on bypass detection for the first time in online mode, directly analyzed network traffic and discarded malicious packets. From 2002 to 2003: IPS has developed rapidly in this period. At that time, with the continuous development of products and market recognition, some large security companies in Europe and the United States obtained iPS technology by acquiring small companies and launched their own IPS products. For example, ISS company acquired network ice company and released Proventia; NetScreen acquired onesecure company and launched NetScreen IDP; McAfee acquired intruvert company and launched IntruShield. Cisco, Symantec, TippingPoint and other companies have also released IPS products.

2005 年 9 月绿盟科技发布国内第一款拥有完全自主知识产权的 IPS 产品,2007 年联想网御、启明星辰、天融信等国内安全公司分别通过技术合作、OEM 等多种方式发布各自的 IPS 产品。

In September 2005, Lvmeng technology released the first IPS product with independent intellectual property rights in China. In 2007, Lenovo Wangyu, Qiming Xingchen, Tianrongxin and other domestic security companies released their IPS products through technical cooperation and OEM.

评价

evaluate

针对越来越多的蠕虫、病毒、间谍软件、垃圾邮件

For more and more worms, viruses, spyware, spam


速搜资源网 , 版权所有丨如未注明 , 均为原创丨转载请注明原文链接:【速搜问答】入侵防御系统是什么
喜欢 (0)
[361009623@qq.com]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址