Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is primarily a preventive device designed not only to detect but also to block malicious actions.
Depending on their physical location in the infrastructure, and the scope of protection required, the IDS and IPS fall into two basic types: network-based and host-based. Both have the same function and the specific type deployed depends on strategic considerations.
WHY ARE IDS and IPS necessary?
The IDS and IPS devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.
These exploits can manifest themselves as ill-intended interactions with a targeted application or service. The goal is to interrupt and gain control of an application or a machine, thus enabling the attacker to disable the target causing a denial-of-service situation, or to gain access to rights and permissions available through the target.
There are four types of IDS and IPS events: true positive, true negative, false positive, and false negative. The goal of implementing an IDS or IPS is to achieve only true positives and true negatives.
One should keep in mind that most implementations have false positives so monitoring engineers spend time investigating non-malicious events, and false negatives, which can lead to intrusions. Thus, a proper configuration of the system is of crucial importance as it must reflect the organization’s traffic patterns.
IDS are designed to provide readiness to prepare for and deal with cyber attacks. This is accomplished through information collected from a variety of systems and network sources, which is then analyzed for security problems. IDS are generally deployed with the purpose to monitor and analyze user and system activity, audit system configurations and vulnerabilities, assess the integrity of any critical system and data files, perform statistical analysis of activity patterns based on the matching to known attacks, detect abnormal activity and audit operating systems.
The IPS is generally deployed in-line and analyses network packet traffic as it flows through. Thus, it is similar in function to an IDS – both attempt to match packet data against a signature database or detect anomalies against what is pre-defined as “normal” traffic.
In addition to this IDS functionality, an IPS does more than log and alert – It is usually used to react to detected anomalies. This reaction ability of the detections is what makes IPS more desirable than IDS in general.
THE WHAT, WHERE AND WHO’S OF IDS and IPS DEPLOYMENT
These questions are to be answered taking into account the specifics of one’s environment. The most common locations for intrusion detection/protection sensor are between the network and extranet, in the Demilitarized Zone (DMZ), between the servers and the user community, on the remote access, intranet, and database environment, establishing network perimeter, and covering all possible points of entry should be possible.
Once placed, the sensors must be configured to report to the central management console, as dedicated administrators will manage the sensors, provide a new or updated signature, and review logs. In order to avoid data tampering, one must ensure the communication between the sensors and management console is secure.
The proper identification of mission-critical systems and points of entry requires the following roles in an organization to be involved in any IDS/IPS deployment:
- Senior Management
- Information Security Officers
- Data owners
- Network Administrators
- Database Administrators
- Operating System Administrators
If the key people representing these roles are not involved, the resources won’t be used efficiently and the resulting measure will be inadequate. It is strongly advisable to perform Vulnerability and Risk Assessment prior to implementing IDS or IPS.
Once the IDS is up and operational, logs must be reviewed, and traffic must be tailored to meet the specific needs of the company. Remember, traffic that may be perceived as abnormal by the IDS/IPS may be perfectly suitable for the environment. IDS/IPS must be properly maintained and configured.
WHY CHOOSE A VENDOR?
There are times when you may feel you lack the knowledgeable staff to deploy and administer the IDS/IPS. Here the vendors come in. Instead of spending a considerable amount of time and money trying to figure out the how’s and why’s, specialized teams can come to the aid, with the required expertise to get you started and train your personnel.
When choosing a vendor, look for a team that:
- Eliminates false positives by systematic tuning of detection to meet the characteristics of the particular system;
- Eliminates false negatives. Eliminating false positive alarms may result in incurring false negatives, and that must not happen;
- Understands what constitutes a security-relevant event and develop proper reporting;
- Installs and configures a complete solution;
- Provides and devises methods to test IDS/IPS;
- Determines the damage caused by a detected attack, limits further damage, and recovers from the attack;
- Makes your systems scalable to the size required.