44
fragment-reassembly process
and
crashing
the
system.
An
effective
solution
of
this
problem
is
to
only
retain
the
first
fragment
that
has
its
header
containing
specific information.
•
Stream
reassembly.
IPS
is
also
designed
so
that
it
can
take
the
data
from
each
TCP
stream
and
reassemble
it
respectively.
It
keeps
the
data
unchanged when
it
is
sent
until
it
is
received,
by determining
how and
when each
stream
performs,
or
how
SYN
and
FIN/ACK
packets
acts.
Stream
reassembly is
especially
important when data arrive at the IDS/IPS
in a different order
from their original
one.
This
is
a
critical
step
in
getting
data
ready
to
be
analyzed because
IDS
recognition mechanisms cannot
work
properly
if
the
data
taken
by
IPS
is
scrambled. Stream
reassembly also
facilitates
detection
of
out-of-sequence
scanning
methods. This
mechanism
is able to
figure out the directionality of data
exchange, thus it can detect anomaly if a packet is missing.
•
Stateful
inspection
of
TCP
sessions.
IPS
usually
does
a
stateful
inspection
of
TCP traffic
to
avoid
irresistible situation
where
it
needs to
analyze every packet
that
appears
to
be
part
of
a
manipulated
or
unreal
ongoing
session.
Attacker
could
flood
the
network with
such
packets, causing
the
IPS
to
become
overwhelmed. By
having session establishment data entry, IPS can
use data table
to
enter
data
about
packets
within
ongoing sessions
and
to
compare packets that
is
part
of
established
sessions.
If
it
cannot
find
the
packets
based
on
the
table
entry comparison, the packets will be discarded or dropped.
•
Firewalling. Firewalling’s
function
is
basically
to
protect
the
IPS
itself
from
the
attacks
while doing packet analysis, especially after
finishing TCP stateful
 |