IPS (Intrusion Prevention System) and IDS (Intrusion Detection Systems)
IPS and IDS systems look for intrusions and symptoms within traffic. IPS/IDS systems would monitor for unusual behavior, abnormal traffic, malicious coding and anything that would look like an intrusion by a hacker being attempted.
IPS (Intrusion Prevention System) systems are deployed inline and actually take action by blocking the attack, as well as logging the attack and adding the source IP address to the block list for a limited amount of time; or even permanently blocking the address depending on the defined settings. Hackers take part in lots of port scans and address scans, intending to find loop holes within organizations. IPS systems would recognize these types of scans and take actions such as block, drop, quarantine and log traffic. However this is the basic functionality of IPS. IPS systems have many advanced capabilities in sensing and stopping such attacks.
IDS vs IPS
IDS (Intrusion Detection System) systems only detect an intrusion, log the attack and send an alert to the administrator. IDS systems do not slow networks down like IPS as they are not inline.
You may wonder why a company would purchase an IDS over an IPS? Surely a company would want a system to take action and block such attacks rather than letting it pass and only logging and alerting the administer. Well there’s a few reasons; however there are two primary reasons which stand out. IDS systems if not fine tuned, just like IPS will also produce false positives. However it would be very annoying to have an IPS system producing false positives as legitimate network traffic will be blocked as where an IDS will just send alerts and log the false attack. The 2nd reason is some administrators and managers do not want a system to take over and make decisions on their behalf; they would rather receive an alert and look into the problem and take action themselves.
However that said today you will find solutions with both capabilities of IDS and IPS built in. IDS can be used initially to see how the system behaves without actually blocking anything. Then once fine tuned IPS can be turned on and the system can be deployed inline to provide full protection.
IPS and IDS vs Firewalls
Not having an IPS system result in attacks going unnoticed. Don’t forget a firewall does the filtering, blocking and allowing of addresses, ports, service, but also allows some of these through the network as well. However this means that the access allowed is just let through, and firewalls have no clever way of telling whether that traffic is legit and normal. This is where the IPS and IDS systems come into play.
So where firewalls block and allow traffic through, IDS/IPS detect and look at that traffic in close detail to see if it is an attack. IDS/IPS systems are made up of sensors, analysers and GUI’s in order to do their specialised job.
The Job of an IPS\IDS system
Let's take a closer at an IPS/IDS (also known as IPD systems).
Most common attack types that IPS and IDS systems are used for are;
Policy Violations - Rules, protocols and packet designs that are violated. An example would be an IP packet that are incorrect in length.
Exploits - Attempts to exploit a vulnerability of a system, application or protocol. An example would be a buffer overflow attacks.
Reconnaissance - Is a detection method that is used to gain information about system or network such as using port scanners to see what ports are open.
DOS\DDOS - This is when an attack attempts to bring down your system by sending a vast amount of requests to it such as SYN flood attacks.
IPS Techniques to defend against Attacks
Intrusion prevention sensors look at header and data portions of the traffic looking for suspicious traffic that indicate malicious activity.
IPS/IDS solution have the ability to detect threats using a database of signatures, using anomaly detection techniques looking for abnormal behaviour within protocols and can also use or integrate with anti virus for malware detection. Anomaly detection systems target traffic that isn't necessarily bad but used with bad intentions such as lots of traffic to overwhelm a system. TCP Syn Flood attack is an example.
IPS have the ability to take actions on defined policies such as blocking a connection, providing alerts, logging the event, quarantining the host or a combination of these. Policies define the rules that specify what should be detected and type of response required. Policies will include both signature based rules and anomaly detection rules for learning typical network traffic and setting thresholds for these. DOS and reconnaissance rules are based on traffic statistics.
IPS solutions also provide logging and alerting on recent attacks so it should be easy to understand and trace an attack, and provide supporting tools that would aid in blocking attacks. Also clicking the attack should provide detailed information about the attack and what can be done to resolve such an attack. IPS and IDS systems have the ability to search for attacks using different characteristics of an attack such as by attack name, impacted applications, attack ID and so on.
IPS and IDS systems should be configured to only use signatures they require and to protect the assets required as using all signatures and pointing it to protect everything will use up much more resources such as CPU, memory and bandwidth. So if it were web server that required protection then only signatures for web servers should be utilised and protecting only the DMZ where web servers are located. This can also be further defined to be protocols such as HTTP, RDP, or systems like Unix, Windows or applications such as IIS and Adobe.
Attacks should have a severity level that ties to a response such as block, quarantine, log, notify or a combination of these.
IPS IDS Deployment
IPS can be deployed in either span\tap mode, inline or IPS on a stick. In span\tap mode an IPS sensor receives a copy of every packet and can alert on attacks but cannot block them. This is good for when initially testing the system and fine tuning policies before deploying it in inline mode. Inline is where it sits inline with the network and is able to block and alert on attacks. If you are using a Cisco infrastructure then IPS on a stick can be deployed where packets can be forwarded to multiple IPS sensors using Cisco Ethernet Channel technology.
Some IPS solutions can be segregated in virtual IPS sensors that are an option for shared environments or MSSP's.
Bets practice would be to create multiple policies for different resources. define policies for a network segment or for an interface or sub interface for VLANS. Also defining the traffic direction so you are only protecting a targeted area such as inbound from the internet to the DMZ.
Host based Intrusion detection and Network based Intrusion Detection
There are a few different types of intrusion systems. Firstly there’s host based (HIDS) and network based (NIDS). Network based (NIDS) monitors for intrusions on the network. Host based sits on a computer itself and monitors the host itself. HIDS are expensive to deploy on all computers, and so are used for servers that require this extra protection, where network based is usually cheaper to purchase as the investment is in one appliance sitting on your network monitoring traffic.
HIDS and NIDS can come in a number of types of intrusion systems as well;
Signature based
Signatures are created by vendors based on potential attacks and attacks that have been taken place in the past. These signatures are scheduled and downloaded by the intrusion software itself. Any packets arriving into the network are compared to the set of downloaded signatures comparing these for any attacks. Signature based systems are the most common. Most UTM appliances consist of signature based intrusion prevention/detection systems. The only downfall to these systems is that they can not detect new attacks, as they only compare attacks to the signatures their system currently holds.
Anomaly based
In anomaly based, the system would first need to learn the NORMAL behavior, traffic or protocol set of the network. When the system has learnt the normal state of a network and the types of packets and throughput it handles on a daily basis, taking into account peak times such as lunch time for example for web browsing, then it can be put into action. Now when traffic is detected that is out of the normal state of the network, the anomaly based detection system would take action.
The good thing about this type of system is that it can detect new attacks; it does not need to rely on signatures. The bad thing is if you do not spend time fine stunning the system and maintaining it, it will usually produce many false positives (Stop normal traffic). Also some clever hackers try and emulating their attacks as normal traffic, however this is usually difficult to do from a hacking perspective, but if they get it right, it may fool the ADS system as normal and legitimate traffic.
Rule based
Rule based systems are more advanced and cleverly built systems. A knowledge base programmed as rules will decide the output alongside an inference engine. If the defined rules for example all match, a certain assumption can be determined in which an action may take place. This assumption is the power of the inference engine. The inference engine can assume an attack may be occurring because of so many factors; this is unique and is very much behaving like the human mind. In normal computing assumptions can not be made, its either yes or no, but the inference engine adds a different level of thinking; it also adds the “Probably” to the list, like humans. If it rains and is warm, we can assume it may thunder. If more traffic was leaving the company than usual, as well as coming from a certain server, the inference engine may assume, the server could be compromised by a hacker.
Many IDS/IPS solutions have combined both signature and anomaly based detection system.
For further reading, there's some excellent electronic ebooks available for download from eBooks.com