查看: 15531|回复: 93
收起左侧

[资料] 诺顿的第一道防线,防御大于查杀的独门技术(2楼佳哥译文)

  [复制链接]
zhilu
发表于 2010-4-24 18:16:47 | 显示全部楼层 |阅读模式
本帖最后由 zhilu 于 2010-4-24 19:26 编辑

What is IPS?

Intrusion Prevention System (IPS) is a proactive protection technology that provides security at the network level. It is the first line of defense against malware.

There is sometimes confusion between an IPS and a firewall. Personal firewalls are more basic, making allow/deny decisions to ensure that only “selected” programs are allowed to interact over the internet. Firewalls also block network communication on non-standard ports, which are generally not used by legitimate programs and services. On the other hand, an IPS goes one step further, and examines all network traffic that is allowed through the firewall.


We can demonstrate the difference between firewalls and IPS by using the real world example of airport security. Airline officials and security officers confirm the identity of people traveling. They only allow people with proper identification and tickets to pass the checkpoint and proceed towards the gates. On your PC, the personal firewall provides the same function – either allowing “unscreened” traffic or blocking it. Back at the airport, baggage screeners and X-Ray machines make sure that authorized travelers do not carry dangerous items to the gate or onto an airplane. Similarly, the IPS engine’s role in the Norton security suite is to carefully examine the traffic that the firewall has already allowed.

In the past, Intrusion Prevention Systems simply protected against operating system (OS) threats, or denial of service (DOS) and distributed denial of service (DDOS) attacks. These threats exploited vulnerabilities that were mostly in the OS network stack and services. Over the past few years, these OS components have become more robust. So has the threat decreased?

Why is the IPS engine in Norton products so important?

Each year, PC use becomes increasingly centered on online activity, and that means more reliance on web browsers and their plug-ins to interact with sites and services. This has created a golden opportunity for the “bad guys” to move their attacks from the OS to exploiting vulnerabilities in applications. Now they are more likely to target your web browser, document viewers, media players, etc.

With the state of website security across the globe being so poor, the “bad guys” have had an easy time compromising websites and waiting for users to visit. As a result, users are being served malware by visiting not just “dodgy” sites, but very legitimate sites. A recent report from Symantec’s MessageLabs, a leading SaaS email and web-security provider, showed that in March of 2009, 85% of malware detected was hosted by a site that had been operational for at least a year.

In some cases, users are getting infected after being lured into visiting “bad” sites through means of social engineering scams. Fake e-mail from friends, the bank, messages on social networking sites and “malvertisements” are all examples of how unsuspecting users can be driven to these dangerous compromised sites.

To combat these changing threats, the IPS Engine in Norton products has the smarts to protect the vulnerabilities that the bad guys target. In addition to scanning all network traffic, the IPS engine has specific browser protection for today’s most popular browsers.

Won’t I be safe with updated signatures alone?

Stopping a threat “in flight”, at the network level, is extremely effective because it blocks the threat before it ever lands on the system. It is much more expensive to clean a threat once it hits the disk or application memory. Core technologies like Antivirus engines (AV), only get a chance to clean these threats when they hit the disk. Sometimes clean removal or quarantine is difficult as these threats try to rapidly increase their footprint on the system by morphing or injecting into other legitimate processes. Some web applications stream data from external web servers and directly deliver it to users. In these cases, technologies like AV aren’t the right tool, which is why additional protection via IPS is so important.

How does the Norton IPS engine work?

Applications that interact over the Internet can have vulnerabilities. Generally, vendors release patches to address these vulnerabilities as they are discovered. Unfortunately, for various reasons, millions of users don’t run fully patched system, and when they download or stream a document, media file or simple HTML page on an un-patched system, they can be compromised. These exploits, when successful, can also cause (even more) malware to be downloaded, making the problem worse.

The Norton IPS engine patches holes in these vulnerable systems by scanning network traffic for patterns that exploit vulnerabilities. One IPS signature for a particular vulnerability can protect against many variants of exploits and so they are very scalable in their defense.

Norton users running IPS get definition updates with new signature content on a regular basis.

If I run a fully patched system, do I need IPS?

Yes. Vendors typically take anywhere from a few days to a few weeks to release patches for new vulnerabilities in their products. Not all products have an auto-update feature to download new patches as soon as they are available. In some cases, updating to a new patch/version causes incompatibility with other software on the system and prevents users from updating. Practically speaking, there is almost always a window of time when even the most advanced or savvy users are running a system without fully patched software.

The IPS engine from Norton can protect users during these “windows of opportunity” for the bad guys. Symantec’s Technology and Response team works 24/7 and can quickly release updates to Norton products to “virtually patch” critical vulnerabilities.

What is new for IPS in Norton 2010?

When updating the Norton 2009 family of products, the IPS engine was completely redesigned and we made tremendous improvements in performance and protection. Since the IPS engine has to monitor ALL network activity, it can be resource intensive. For the upcoming Norton 2010 products, we are continuing to make improvements based on the changing threat landscape while maintaining our parallel focus on performance:

- Browser protection has been beefed up to protect against a larger range of threats.
- The IPS engine now collaborates more with other protection technologies in the Norton products which means that we are now more effective in neutralizing threats based on IPS detections, as compared to just blocking their network activity.


Summary
When it comes to providing the best protection possible, you can’t rely on a single technology because there isn’t a single threat. Norton’s Intrusion Prevention System is a critical component that is able to detect and block malicious attacks before they ever reach the hard drive or memory of your PC.



原文出处:http://community.norton.com/t5/N ... defense/ba-p/124400
皇甫暮云
发表于 2010-4-24 18:20:16 | 显示全部楼层

人工翻译文

本帖最后由 jiayan72392 于 2010-4-24 18:26 编辑

入侵防护系统(IPS):您抵御恶意软件的第一道防线

什么是IPS?
入侵防护系统(IPS)是为网络层(OSI模型第三层)提供安全的主动防护技术。它是防御恶意软件的首道防线。

有时候在IPS和防火墙之前会产生混淆。个人防火墙是相对较基础的,仅为选择的程序作出“允许/拒绝”与因特网交互的决定。防火墙同时阻止非标准端口的网络通信,这些端口通常不会被合法程序或服务所使用到。另一方面,IPS作了进一步延伸,它会检查被防火墙所允许的所有网络数据。

我们可以通过真实世界中的机场安全来演示防火墙和IPS的区别。航空公司官方和保安人员确定旅客的身份。他们仅允许携带了合法身份证件和机票的旅客通过检查站到达登机口。在您的PC上,个人防火墙提供了相同的功能,允许所有未被筛选的数据包或者阻止它。回到前面的机场例子中,行李安检器和X光机保证了被授权乘客没有携带危险品至登机口或者飞机内部。相同的,诺顿安全套装中的IPS引擎正是用于检查被防火墙放行的数据包。

在过去,入侵防护系统仅保护系统受到操作系统威胁,拒绝服务和传播式拒绝服务攻击。这些威胁利用了大多数情况下操作系统的网络堆栈和服务的漏洞。在过去的几年里,这些操作系统组件已经变得健全了。那么这些威胁减少了吗?

为什么诺顿产品中的IPS引擎如此重要?
每年,PC的使用越来越向在线活动集中,这意味着更多的网络浏览器和它们的插件之间同网站和服务之间的交互会被信任。这为“坏人们”从操作系统攻击转移至利用应用程序漏洞创造了一个黄金机遇。如今他们更倾向于将您的网络浏览器,文件查看器,媒体播放机等作为目标。

随着极差的全球各国家之间的网站安全,“坏人们”有一个充分的时间来研究这些网站并等待用户访问。结果,即使用户们没有访问危险网站,而是非常正常的站点,他们还是被提供了恶意软件。一份赛门铁克Message实验室最新报告指出,领先的软件服务化电子邮件和网络安全服务提供商之一,在2009年3月指出,85%的恶意软件是被一家已经运营了至少一年的网站所拥有。

在有些场合下,用户是通过社会工程欺诈手段被引诱至一个“恶意”站点,然后被感染上的。来自朋友,银行,社交网络的个人消息和“虚假广告”的伪造邮件正是那些没有警觉的用户们被引导进入这些威胁站点的例子。

为了应对这些持续变化的威胁,诺顿产品中的IPS引擎拥有保护这些被坏人们盯住的漏洞的能力。除了扫描所有网络数据包之外,IPS引擎还为当今最流行的浏览器提供特有的浏览器防护。

如果我只更新签名,那样会安全吗?
在威胁“飞行”中将其拦掉,也就是在网络层,是非常有效的。因为它能在威胁“降落”到系统之前将其阻挡。一旦威胁触及了磁盘或者应用程序内存再将其清楚则会很费时费力。核心安全技术比如防病毒引擎,仅仅在这些威胁触及磁盘的时候才去清除他们。有些时候清除或隔离这些威胁很困难因为它们会通过变形或注射进其他合法进程的方法来在系统上迅速增加足迹。有些网络服务从外部网络服务器截取数据并直接传送给用户。像这样的场合下,防病毒之类的技术并不是好的办法。这就是为什么IPS提供的额外防护如此重要的原因。

诺顿IPS引擎是如何运作的?
通过因特网交互的应用程序可能会有漏洞。通常,厂商们一旦发现漏洞,他们会发布补丁来修补。然而不幸地,由于各种各样的原因,数以百万计的用户们并没有运行被完整修补过的系统。当他们在一个没有打全补丁的系统上下载或者传递一个文档,媒体文件或者简单的HTML页面的时候,他们会变得没有任何防御力。这些利用行为一旦成功,同样会导致(甚至更坏)恶意软件被下载到计算机上,从而使问题更糟。

诺顿IPS引擎通过扫描网络数据包,查看这些包中寻找利用漏洞的实例,来为这些有漏洞的系统进行修补。一条为一个特定漏洞所制定的IPS签名可以应对很多威胁的变种。因此他们在防护上的扩展性是很强的。

诺顿的IPS用户可以定期得到定义更新,其中包含新的签名内容。

如果我的系统已经打全补丁了,那么我还需要IPS吗?
是的。厂商们通常会在几天到几周之间为他们的产品新漏洞发布补丁。并不是所有产品都具有在补丁可用之时便下载新补丁的自动更新功能。有些情况下,升级到新补丁/版本会引发与系统上的其他软件不兼容从而阻止用户升级。实际上来说,总会有一些时间段内,甚至一些高级用户也会在没有为软件打全补丁的情况下运行系统。

诺顿的IPS引擎能够保护用户,防止这些时间段内的黑客袭击。赛门铁克技术响应小组工作7*24小时,他们会很快地发布更新,来为这些紧急漏洞打上“虚拟补丁”。
诺顿2010产品中的IPS更新情况
在升级诺顿2009产品的时候,IPS引擎被彻底重新设计,我们在性能和防护效果上做了巨大改进。由于IPS引擎必须监控所有的网络活动,它是非常需要资源的。对于即将到来的诺顿2010产品,我们会继续根据威胁蓝图来改进防护效果并且同样的,维护我们的另一重点,性能改进。

-浏览器防护被加强,用来阻挡更多一系列的威胁。
-IPS引擎现在可以和其他诺顿产品中的防护技术更好地协同工作。这意味着同以往仅切断他们的网络活动而言,我们现在可以根据IPS检测来更有效地修复危胁。

总结
当接近于提供最佳之防护的时候,您不能依靠单一的技术毕竟没有单一的威胁。诺顿入侵防护技术是一个至关重要的组件。它能够在威胁将要抵达您PC的硬盘和内存之前检测并阻止这些恶意攻击。

评分

参与人数 4人气 +4 收起 理由
永远的ALTMAN + 1 英语好就是不一样
solstice1988 + 1 口语气氛过浓,书面气质不足
jefffire + 1 英文好就是牛
冲冲 + 1 辛苦了~

查看全部评分

葱葱.Com
发表于 2010-4-24 18:44:57 | 显示全部楼层
这个……IPS3?
这个贴出来干虾米……
皇甫暮云
发表于 2010-4-24 18:46:05 | 显示全部楼层
知识普及贴,让各位明白,安软不是只有查杀的,铁壳区还好,其他区的小部分朋友们似乎在认识上有误区
tearer
发表于 2010-4-24 18:46:10 | 显示全部楼层
学习了
原来IPS是网络层的。。。。
zhilu
 楼主| 发表于 2010-4-24 18:46:52 | 显示全部楼层
这个……IPS3?
这个贴出来干虾米……
Eternity 发表于 2010-4-24 18:44



    为了干IXBOX 360
gzy_hao
发表于 2010-4-24 18:51:59 | 显示全部楼层
回复 3# Eternity


为了说明IPS对于Norton整个防御系统的重要性
以及Symantec“主拦截,次查杀”的理念
还说明了民航安全系统的强大……
葱葱.Com
发表于 2010-4-24 18:55:31 | 显示全部楼层
回复  Eternity


为了说明IPS对于Norton整个防御系统的重要性
以及Symantec“主拦截,次查杀”的理念 ...
gzy_hao 发表于 2010-4-24 18:51



    我在等Sonar3的正式版……
wenwen9904
发表于 2010-4-24 18:57:30 | 显示全部楼层
本帖最后由 wenwen9904 于 2010-4-24 19:30 编辑

…… 楼上的楼上最后一句是亮点
皇甫暮云
发表于 2010-4-24 18:57:32 | 显示全部楼层
我在等Sonar3的正式版……
Eternity 发表于 2010-4-24 18:55


那就帮我顶一下贴ok?或者加RQ也成啊
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-24 20:12 , Processed in 0.131380 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表