IDS vs IPS
|
Intruder alert:
Intrusion Detection Systems 1. IDS types 2. Intruders, responses and how well do they work? 3. IDS vs IPS 4. Where to deploy? About RMIT Test Labs |
Let’s clear up a common misconception. Intrusion detection and intrusion prevention aren’t different names for the same market segment—they’re different names for two distinct categories of security products.
- IDSes are installed on network segments.
- IPSes are installed on servers and desktops.
- IDSes require expert tuning.
- IDSes require more administrative overhead.
- IDSes can’t parse encrypted traffic.
- IDSes and IPSes should both have a central management console.
- IDSes have more potential for identifying hackers.
- IPSes can better protect applications.
- Intrusion prevention products are ideal for blocking Web defacement.
- Neither an IDS nor an IPS is a replacement for firewalls.
Understand the IDS challenge
Intrusion detection systems (IDSes) are surveillance products. Using an IDS is somewhat like putting an x-ray machine on your network so that you can examine your packets to see what’s inside. IDSes are really more similar to protocol analysers or smart sniffers than they are to intrusion prevention systems (IPSes).
There are a few fundamental problems with how some IDSes work today. First, as more and more network traffic becomes encrypted, IDSes become useless because they can’t parse encrypted traffic. Second, as networks become more heavily switched, they typically see only a small amount of the traffic on your network. On a switched network, you need to greatly increase the number of intrusion detection sensors to monitor traffic on all the network segments. On large networks, this means that the total cost of ownership of IDSes can be very high. Third, IDSes generate a huge number of false positives, telling you that your network is being attacked when it’s not. These three problems are leading many companies to switch to IPSes.
Leading vendors in the intrusion detection market include Cisco, ISS, and NFR. Some IDSes are sold as software packages you install on top of a leading operating system. Others are sold as turnkey appliances, commonly called “sensors” by the companies that make them. Typically, these devices work by monitoring the traffic on the network, noting which devices they are communicating with and categorising the types of traffic interacting with the devices. Traffic patterns are compared against known attack signatures, and alarms are typically set to go off according to certain thresholds and severity levels. For example, a syn-flood attack might be set to a severity level of high, and an ICMP flood might be set to medium.
It is truly important to tune an IDS to report only the minimum data needed to detect an attack. Storing information on every packet header and payload is not useful, and in the long run, it will just create more work and overhead by taking up valuable disk space, requiring additional backups, and increasing storage requirements.
Preventing intrusions
IPSes are like deadbolts. They simply stop the attack. They do not analyse it and then effect a response. Where IDSes generally monitor network segments, IPSes are typically host-based products that get installed on the actual servers and desktops they are slated to protect.
Leading vendors in the intrusion prevention market include SecureWave and Entercept. These products typically work at the application level by analysing a proposed user action before it accesses and/or modifies any mission-critical files. The requested behaviour of the application must match the desired behaviour that has been previously defined by a standard set of rules. If the proposed action is unusual, the rules that govern the application’s behaviour will prevent the action from executing.
Some IPSs compare a checksum of the executable with a known good checksum list. If the proposed execution is legitimate, the application is allowed to execute. If there is a mismatch in the checksum hash, the application is not allowed to execute. Unlike IDSes, with IPSes, the logic is applied before the application is executed in memory. Other IPSes work by intercepting systems calls.
An IDS still has its place
Although IDSes have their problems, they can still offer value to an organisation or law enforcement agency under the right circumstances. For example, if your network is under attack and there has been a large loss of valuable assets such as credit card numbers or if money has illegally been transferred to the wrong accounts, using an IDS is a smart way to try to catch the perpetrator.
Because IDSes need to collect a large array of traffic to understand anomalous patterns, they typically require a lot of massaging to tune them, interpret the information, and identify false positives. In fact, monitoring IDSes can be a full-time job. We have seen instances where a hacker has actually exploited an IDS, causing it to create a denial of service attack against the organisation it’s in place to protect.
Bottom line
If you work for a financial institution, you should probably deploy both an IDS and an IPS. If your systems contain medical records that include detailed patient information that doctors use to make treatment decisions, you should probably deploy an IDS and an IPS. However, if losing your data would, at worst, create a big inconvenience while your operations team secured the perimeter and the hosts and restored the data, it might be more worthwhile for your organisation to install only an IPS. Certainly, if there are no staff resources dedicated to tuning an IDS or providing the ongoing expert analysis required, there is no point in installing one.
4%
2%
You have miss-spelled organisation, authorised, unauthorised, analysing, & analyse which should be organization, authorized, unauthorized, analyzing, & analyze. Just thought you should know, doesn't look very good or very professional.