Purpose

The IDPS object is representing Intrusion Detection and Protection System functionality providing payload inspection, like for instance offered by a Web Application Firewall.

The intention is to connect the IDPS to every Application that is protected by IDPS functionality, which makes the IDPS have the role of a HIDS rather than a NIDS. (NIDS functionality is instead defined by the PayloadInspection defense property of ConnectionRules.)

The IDPS object extends from the Application object which means that all properties and connections for an Application object are also valid for an IDPS object.

Connections

Application

An Application object can be connected to an IDPS object in three ways; AppProtection, AppExecution (appExecutedApps --> hostApp) and AppExecution (hostApp --> appExecutedApps).

AppProtection

A connection between an application and an IDPS defines that the application is protected by an solution for intrusion detection and prevention, like for instance web application firewall functionality.

735735

Apache protected by a WAF solution.

AppExecution

The two AppExecution options are for defining which parent application the IDPS (application) is hosted by. An IDPS object is actually inheriting its functionality from the Application object which means that it has all the properties of an application but is also capable of protecting other applications. However, the operating system it is running on (hosted by) can in turn have vulnerabilities and be compromised.

Like with the parent/child application relation, connect from the parent (OS) to the child (IDPS) and select AppExecution (appExecutedApps --> hostApp).

522522

The Snort IDPS is running on a Debian machine.

ConnectionRule

Please see the Application section.

Data

Please see the Application section.

Group

Please see the Application section.

Identity

Please see the Application section.

Network and NIDS functionality

The IDPS connects to Network via ClientAccess or Network Exposure, like the Application object does. Please note that this represents from which network the IDPS is possible to connect to (administrative interface) and not NIDS (Network Intrusion Detection System) functionality. The NIDS functionality is instead defined as a property to ConnectionRules via their PayloadInspection defense property.

Nested IDPS objects

IDPS objects can be nested both allowing them to host other IDPS objects but also to protect other IDPS objects. This is likely, in practice, a bit if a corner case.

RoutingFirewall

Since an IDPS is an Application, it can be hosting and hosted by a RoutingFirewall object. However, the following is the recommended way to model a firewall.

980980

The IDPS is not protecting the firewall traffic, but instead protecting the Firewall OS, since it is acting as a HIDS.

System

Please see the Application section.

Properties

AttackSteps

Attack step nameAttack step purpose
The same attack steps applied for IDPS ad for Application.Please see the Application section.

Defenses

Defense nameDefense purpose
Effectiveness.The effectiveness defense property is added to the IDPS compared to the Application. It is representing the likelihood of the IDPS identifying incoming payloads and blockiong them from affecting the Applications the IDPS is connected to. This property can be used to represent for instance how accurate the payload signature definitions of the IDPS are.
DisabledPlease see the Application section.
SupplyChainAuditingPlease see the Application section.