IPS, with IDS, is the best choice - intrusion detection systems

Communications News, Sept, 2003 by Nir Zuk

Administrators have learned that an intrusion-detection system (IDS) may not be the final answer in protecting an enterprise network's critical resources. Some of today's intrusion-detection and prevention technologies, however, can overcome the pitfalls of legacy IDSs and can be effective additions to an IT department's security arsenal. The hitch is finding which ones by understanding the pitfalls of IDSs and the product requirements for delivering real prevention capabilities.

Ample proof exists that data networks and servers, whether based on proprietary or open source software, or on Windows, Unix or Linux, are vulnerable to attack. Most businesses and organizations are aware of these risks, and have invested time and effort in buying network security solutions, such as firewalls and IDSs. Some of those solutions, however, do a poor job of securing the network against today's increasing volume and complexity of attacks, which are now threatening enterprise networks both at the network and application level.

Many IDSs, for example, have large numbers of false positives. Because most IDSs lack full-featured management functionality to help IT administrators gauge whether legitimate traffic was blocked, undertake quick attack investigation for validity and success, or complete log analysis for attack trend identification for timely policy modification, already overworked IT staff can be further burdened.

Certain intrusion-detection-and-prevention systems, unlike legacy IDSs, can accurately detect attacks and automatically stop them, without disrupting future connections from that IP address, to ensure they never reach their target victim. Determining which products can and cannot provide the attack prevention that is necessary to protect critical assets, however, can be difficult. To do that, a clear understanding of the differences between intrusion-detection and intrusion-detection-and-prevention systems is required.

The differences between an IDS and an intrusion-prevention system are as fundamental as the differences between a video camera passively watching a building's lobby, and a burly lobby guard actually checking entrants before permitting admittance.

A security system that relies solely on a video-surveillance system has the same shortcomings as an IDS. First, when the video-surveillance system detects suspicious activity, it is unable to block the intruder directly. The watcher's only response is to notify someone else of the problem by setting off an alarm or phoning the police. That takes time. By then, the intruder will probably be long past the checkpoint and may have already done his damage before being caught.

Similarly, an IDS passively monitors traffic within an enterprise's network, watching for traffic that looks suspicious and could be considered malicious. The ability and range of attacks that a device can detect is tied to the types of detection mechanisms it utilizes. Generic mechanisms that cannot narrow the scope of the attack search result create many false alarms; and those devices that only have one, two or three mechanisms result in attacks slipping by undetected due to insufficient coverage.

More importantly, as monitoring devices, they cannot affect the traffic in real time; instead, they rely on reactive functions, such as sending an IT administrator an alert message, trying to reset the transmission control protocol connection and/or signaling the firewall to block an IP address. All of these mechanisms typically occur after the attack has already reached its victim. As a result, these solutions are insufficient at effectively protecting an enterprise's critical network resources.

The solution? Replace the video camera with a lobby guard, charged with physically inspecting each and every visitor before allowing entry into the building, and arm the guard with multiple tools to detect different types of malicious intentions. This is essentially the equivalent of a state-of-the-art intrusion-detection-and-prevention system that uses as many detection methods as possible to detect different types of attacks, and then sits inline blocking the traffic from entering the network if it is considered malicious.

A "proactive" solution also has the ability to accurately interpret the traffic as the destination device would see it. This is important because many sophisticated attacks against networks actually require many packets in a stream. Individually, each packet may be innocuous, but when reassembled at the destination, the payload may cause a buffer overflow on an unprotected server, or a malformed data sequence may trigger a system crash.

Traditional intrusion-monitoring devices are hampered by their inability to correctly interpret the intent of those packets, which attackers use to their advantage, creating ambiguity to evade the system. By contrast, a "network aware" in-line intrusion-detection-and-prevention system can reassemble all of the packets in the sequence, so it can "see" the same data as the traffic's destination address on the network. If an IP packet is found to be malicious, it is simply dropped, and the attack attempt is thwarted.