Given the never-ending headlines of recent years detailing enterprise data breaches affecting hundreds of thousands of customers and involving losses in the billions, business leaders no longer have to be told that there's a threat. But they do have to learn how their organizations can address the very real risk of data loss.
Corporate auditors use risk assessments to identify information resources that, if lost or exposed, could adversely affect the organization. Once information resources have been identified and ranked according to risk, then technical controls can be used to protect them. No one technical control -- such as a perimeter firewall -- can thwart cybercriminals. Instead, defenses must be deployed in much the same way as soldiers use obstacles, observers and direct fire weapons to deny enemies access to key terrain. This method of combining defenses is called defense in depth.
Defense-in-depth practices have been codified into compliance regulations with varying success levels. To help address shortcomings, the SANS Institute, government agencies and a variety of national and international organizations developed the SANS 20 Critical Security Controls based on recommended security practices. Intrusion detection and intrusion prevention technologies are recognized as very important to the adoption of these new controls.
Life before IDS/IPS
Intrusion detection systems (IDS) and intrusion prevention systems (IPS) monitor data flowing through corporate networks. IDS technology evolved from packet sniffers, which were used as a network-troubleshooting tool to locate malfunctioning equipment and software by creating logs showing the activity of network packets.
Prior to the advent of network switches, IDS products could be connected to any port on a network hub and had a good chance of monitoring network packets on a local area network segment. Network switches isolate the network traffic between switch ports, so other approaches have to be used.
In low- to medium-traffic networks, the traffic on switch ports can be copied (also known as being spannedor mirrored) to a designated switch port, where a network cable connects the spanned port to the IDS sensor. In higher-traffic networks, other technologies such as network taps are used. A network tap is a passive device that connects between network devices and creates a copy of network packets that can then be routed to a monitoring device, such as an IDS sensor.
Very shortly after IDS was developed, IDS designers incorporated the ability to send Transmission Control Protocol reset packets to disrupt TCP traffic between a malicious source and its target destination. Since both port spanning and network taps allow only one-way packet flows from the monitoring point, IDS products use a second network interface card connected to another switch port to issue TCP resets.
As effective as TCP resets are for TCP traffic, IDS sensors cannot reset packets from connectionless protocols like ICMP and UDP. Also, because IDS technology relies on port spans or network taps to monitor network traffic, there is an upper limit to the number of packets that can be monitored based on the capacity of the spanned switch port or the capacity of the network tap.
The introduction of IDS/IPS
These shortcomings brought the introduction to intrusion detection and prevention. Instead of relying on one-way copies of network traffic, IPS sensors are inserted between network devices, such as between routers or between switches. Since they are inline devices, IPS sensors can block any type of malicious network traffic and can operate at wire speeds. Since they are essentially point-to-point defensive devices, more IPS sensors have to be employed than with passive IDS sensors that can use spanned network traffic from a variety of sources. IPS sensor locations in the organization's network have to be determined by risk assessments and also by regulatory requirements.
Both IDS and IPS technologies operate in a similar manner. Based on signatures or network packet behavioral cues representing malicious activity, they can detect attacks from the packet through to the application level. These systems can then take a variety of actions to defend sensitive data. Typical actions include issuing alerts via SMS, SMNP or SMTP, logging suspicious activities and automatically disrupting malicious activity.
Given the staggering number of network packets that flow through an organization, it is not unusual to detect a high number of suspicious events. Most of this traffic is explainable, and thus IDS and IPS sensors have to be tuned to ignore expected traffic. Even after tuning, there can still be a large number of events to analyze.
Consequently, information from sensors is usually sent to some kind of management server where events are consolidated. This higher-level information can even be sent to a security incident and event management server, where the events are consolidated even further and then correlated with other security events. Even after this automated event consolidation and correlation, human eyes will still have to examine the result. So organizations can employ cybersecurity analysts with IDS/IPS training, hire a managed security services firm or use both approaches to cover events as they occur 24 hours a day, seven days a week.
About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company as well as a freelance expert consultant and writer.
What's the difference between mobile IDS/IPS and traditional IDS/IPS? Find out now
Quiz your IDS/IPS knowledge