Intrusion Detection Systems (IDS) have been around for over thirty years, dating back to the Intrusion Detection Expert System (IDES) in the mid 1980's. Intrusion detection technology continued to evolve with the introduction of Host-based, Network-based and Network behavior analysis systems. Additionally, systems capable of blocking malicious traffic, Intrusion Prevention Systems (IPS), originated from IDS.
Intrusion Detection and Prevention Systems (IDPS) traditionally have been hosted on systems dedicated to the task of detecting and responding to malicious network traffic. Over the last several years, security appliances that fill multiple roles such as firewall, VPN, Internet filtering, antivirus, and IDPS have been placed on the market by multiple vendors. These devices, also known by the name Unified Threat Management (UTM), may not always provide true IDPS services since the device may not have adequate system resources or may require additional licenses or hardware modules. This can leave a device owner believing they are protected by and IDPS, when in fact they are not.
What is Intrusion Detection and Prevention?
As with most things, multiple definitions can apply to what an IDPS is. Many firewalls and UTM devices provide stateful packet inspection and stateful protocol analysis, referred to by some as deep packet inspection. These technologies provide basic intrusion detection technology, however The National Institute of Standards and Technology (NIST) provides a good explanation of the differences in publication 800-41 "Guidelines on Firewalls and Firewall Policy".
"Firewalls with both stateful packet inspection and stateful protocol analysis capabilities are not full-fledged intrusion detection and prevention systems (IDPS), which usually offer much more extensive attack detection and prevention capabilities. For example, IDPSs also use signature-based and/or anomaly-based analysis to detect additional problems within network traffic."
IDPS technologies examine the content (or payload) of each packet of network traffic to determine if it matches pre-determined rules of malicious behavior or if it does not match normal network behavior. Firewalls and UTM systems that provide stateful packet inspection and stateful protocol analysis only examine the header of the packet to make sure they meet vendor specified rules.
An Example
Junk mail is a common problem. The mail carrier brings a bunch of mail and puts your mailbox. Sometimes mail is delivered to the wrong person at the wrong address. There is also mail for the wrong person at your address, and then there is correctly addressed mail with your name and address on it. However, for correctly addressed mail, you may not know if it is junk until you open it.
Suppose you hire a person to stand at the mailbox, take the mail from the carrier, and look at the recipient address. This person would give the mail carrier mail that is not for your address and throw away mail that is addressed to someone who does not live at your address. They also look at the mail to make sure it looks like legitimate mail. They are your "mail firewall" and can block quite a bit of junk mail. However, the junk mail that is addressed with your name and the correct address still gets through. A second person is hired. They take the mail from the mail firewall, open it, and read it. If it is junk mail, it is thrown away. This person is your "mail IDPS". They open mail, examine it, and detect whether it is junk or not.
How to determine if a device is an IDS/IPS.
Firewalls and UTM devices are capable of providing true IDPS. So how can you tell the difference? First, if you decide to utilize a firewall or UTM to provide IDPS services, ask the vendor if the system actually examines the payload of each packet or if it only provides stateful packet inspection and stateful protocol analysis. The vendor should be able to provide examples of alerts that are generated by the IDPS system and show you the rules it is using to examine the content of packet payloads. Secondly, ask the vendor if any additional software licenses or hardware modules are required to provide the IDPS services. Many firewalls and UTM systems do not include IDPS services in the base model.
Once deployed IDPS are an effective layer in your defense in depth strategy. Expect to see frequent alerts from the IDPS or the vendor that is managing it. Attackers are constantly crawling the Internet looking for their next place to intrude.
Ty Purcell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com to learn how CoNetrix can improve your Cybersecurity maturity.