Introduction to intrusion detection and prevention technologies

Intrusion detection and preventions systems can be critical components to an enterprise's threat management strategy. Learn the history behind the technologies and why they are so important.

Given the never-ending headlines of recent years detailing enter­prise data breaches affecting hundreds of thousands of cus­tomers and involving losses in the billions, business leaders no longer have to be told that there's a threat. But they do have to learn how their orga­nizations can address the very real risk of data loss.

Corporate auditors use risk assessments to iden­tify information resources that, if lost or exposed, could adversely affect the organization. Once infor­mation resources have been identified and ranked according to risk, then technical controls can be used to protect them. No one technical control -- such as a perimeter firewall -- can thwart cybercrimi­nals. Instead, defenses must be deployed in much the same way as soldiers use obstacles, observers and direct fire weapons to deny enemies access to key terrain. This method of combining defenses is called defense in depth.

Defense-in-depth practices have been codified into compliance regulations with varying success levels. To help address shortcomings, the SANS In­stitute, government agencies and a variety of na­tional and international organizations developed the SANS 20 Critical Security Controls based on recom­mended security practices. Intrusion detection and intrusion prevention technologies are recognized as very important to the adoption of these new controls.

Life before IDS/IPS

Intrusion detection systems (IDS) and intru­sion prevention systems (IPS) monitor data flow­ing through corporate networks. IDS technology evolved from packet sniffers, which were used as a network-troubleshooting tool to locate mal­functioning equipment and software by creating logs showing the activity of network packets.

Based on signatures or network packet behavioral cues representing malicious activity, IDS and IPS technologies can detect attacks from the packet through to the application level.

Prior to the advent of network switches, IDS products could be connected to any port on a net­work hub and had a good chance of monitoring net­work packets on a local area network segment. Net­work switches isolate the network traffic between switch ports, so other approaches have to be used.

In low- to medium-traffic networks, the traffic on switch ports can be copied (also known as being spannedor mirrored) to a designated switch port, where a network cable connects the spanned port to the IDS sensor. In higher-traffic networks, other technologies such as network taps are used. A net­work tap is a passive device that connects between network devices and creates a copy of network pack­ets that can then be routed to a monitoring device, such as an IDS sensor.

Very shortly after IDS was developed, IDS designers incorporated the ability to send Transmission Control Protocol reset packets to disrupt TCP traffic between a malicious source and its target destination. Since both port spanning and network taps allow only one-way packet flows from the monitor­ing point, IDS products use a second network inter­face card connected to another switch port to issue TCP resets.

As effective as TCP resets are for TCP traffic, IDS sensors cannot reset packets from connectionless protocols like ICMP and UDP. Also, because IDS technology relies on port spans or network taps to monitor network traffic, there is an upper limit to the number of packets that can be monitored based on the capacity of the spanned switch port or the ca­pacity of the network tap.

The introduction of IDS/IPS

These shortcomings brought the introduction to intrusion detection and prevention. Instead of relying on one-way copies of network traf­fic, IPS sensors are inserted between network de­vices, such as between routers or between switches. Since they are inline devices, IPS sensors can block any type of malicious network traffic and can oper­ate at wire speeds. Since they are essentially point-to-point defensive devices, more IPS sensors have to be employed than with passive IDS sensors that can use spanned network traffic from a variety of sources. IPS sensor locations in the organization's network have to be determined by risk assessments and also by regulatory requirements.

Both IDS and IPS technologies operate in a simi­lar manner. Based on signatures or network packet behavioral cues representing malicious activity, they can detect attacks from the packet through to the application level. These systems can then take a variety of actions to defend sensitive data. Typi­cal actions include issuing alerts via SMS, SMNP or SMTP, logging suspicious activities and automati­cally disrupting malicious activity.

Given the staggering number of network packets that flow through an organization, it is not unusual to detect a high number of suspicious events. Most of this traffic is explainable, and thus IDS and IPS sensors have to be tuned to ignore expected traffic. Even after tuning, there can still be a large number of events to analyze.

Consequently, information from sensors is usually sent to some kind of management server where events are consolidated. This higher-level in­formation can even be sent to a security incident and event management server, where the events are consolidated even further and then cor­related with other security events. Even after this automated event consolidation and correlation, hu­man eyes will still have to examine the result. So or­ganizations can employ cybersecurity analysts with IDS/IPS training, hire a managed security services firm or use both approaches to cover events as they occur 24 hours a day, seven days a week.

About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company as well as a freelance expert consultant and writer.

Next Steps

What's the difference between mobile IDS/IPS and traditional IDS/IPS? Find out now

Quiz your IDS/IPS knowledge

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing