Cyber security is the land of TLA (Three Letter Acronyms…get it? we are very meta here…). The complete value chain has dozens of acronyms from SOC to SIEM through DDoS, CTI etc. For the uninitiated, all these words sound like invoking millenary monsters from a Lovecraft novel. We could spend hours explaining those terms, but let’s focus on intrusion detection and prevention keywords. Here we go!
For the uninitiated, IDS and IPS stand for Intrusion Detection System and Intrusion Prevention System. Compared to traditional protection mechanisms, such as antiviruses, spam filters, and firewalls, these technologies provide a much higher level of network security. Antivirus software analyzes files, spam filters inspect emails, and firewalls scrutinize IP connections. IDS and IPS, in their turn, analyze data and network behavior.
If you use an analogy with a law enforcement agency to describe and compare all these tools, firewalls, email filters, and antiviruses are rank-and-file officers working “in the field”, while intrusion detection and prevention systems are senior officers who work in the office. Let’s take a closer look at these systems.
IDS architecture and technology
The logic of IDS is to identify threats based on traffic analysis, but further action is up to the administrator. Based on the installation point in a network and the principle of operation, there are different categories of these systems.
Types of IDS by installation point
The two most common types of IDS by the location criterion are as follows:
- Network-Based Intrusion Detection System (NIDS)
- Host-Based Intrusion Detection System (HIDS)
The former works at the network level, while the latter only works at the level of an individual host.
Network-Based Intrusion Detection Systems (NIDS)
The NIDS technology makes it possible to install the system at strategic points of the network and analyze inbound/outbound traffic generated by all connected devices. It checks traffic at a deep level, examining every single packet from the data link layer all the way up to the application layer of the OSI model.
NIDS and a firewall are different things. A firewall only detects attacks coming from outside the network, while NIDS is capable of identifying internal threats as well.
A Network-Based Intrusion Detection System monitors the entire network, so you don’t have to spend money on additional solutions. But there is a drawback: while surveilling all network traffic, it consumes a lot of processing resources. The higher the volume of traffic, the more CPU and RAM power is required.
This leads to significant delays in data exchange and a decrease in the productivity of the network. A massive volume of data can also “overwhelm” NIDS itself, forcing the system to skip some packets. This may render the network vulnerable.
Host-Based Intrusion Detection System (HIDS)
A host-based system is a NIDS alternative. Such a solution is installed on a single host within a network and only protects that host. It also analyzes all incoming and outgoing packets, but only for a single device. HIDS functionality is largely based on file snapshots: it takes a snapshot of the current version and compares it to the previous one, thereby identifying discrepancies and possible threats. HIDS should be installed on critical machines whose configuration rarely undergoes tweaks.
Other types of IDS by location
In addition to NIDS and HIDS, Perimeter Intrusion Detection Systems (PIDS) are also available. Rather than safeguarding the entire network, they only supervise its boundaries and generate an alert whenever a breach is detected. It’s like a fence alarm or the “Trump wall”.
Another type is the Virtual Machine-Based Intrusion Detection System (VMIDS). It uses virtualization technology to spot threats and allows you to avoid deploying the detection system on a separate device. It suffices to configure the protection on a virtual machine, which will monitor any suspicious network activity.
Types of IDS by the principle of operation
All IDS systems follow the same logic, which boils down to finding a threat through traffic analysis. The differences lie in the analysis workflow. That being said, there are three main categories: signature-based, anomaly-based, and rule-based.
Signature-based IDS
The mechanisms used by this kind of IDS resemble the working principles of antivirus software. It inspects signatures and compares them to a database that must be constantly updated to ensure proper results. This is the main disadvantage of a signature-based IDS: if the database is not available for whatever reason, the network becomes exposed to threats. Also, if an attack is new and its signatures are unknown, it may fly under the radar.
These IDS tools are capable of tracking patterns or states. Patterns are the signatures stored in a constantly updated database, and states are any actions within the system.
The initial state of a system is its normal operation not tainted by malicious interference. After a successful attack, the system goes into a compromised state. Each action, such as setting up a connection using a protocol that does not comply with the company’s security policy, can change the state of the system. Therefore, signature-based IDS does not track actions. Instead, it tracks the state of the system. The above-mentioned NIDS mostly tracks patterns, while HIDS is primarily focused on keeping a record of states.
Anomaly-based IDS
This type of IDS does something similar to state tracking, except that its coverage is broader. Since anomaly-based IDS systems use machine learning to identify breaches, they require a trial training period to work properly. Network administrators are advised to completely disable alerts for the first few months so that the system can learn. Once the testing period is over, it is all set to do its thing.
The system analyzes the current network activity, compares it to statistics collected during an earlier period, and thus identifies anomalies that fall into three categories:
- Statistical anomalies
- Protocol anomalies
- Traffic anomalies
Statistical anomalies are detected when IDS creates a profile of regular activity (the amount of incoming/outgoing traffic, the list of running applications, etc.) and compares it to the current profile. For example, let’s say a company experiences a 90% increase in web traffic on weekdays. If a 900% spike occurs all of a sudden, the system will alert you to the threat.
To identify protocol anomalies, the IDS system analyzes communication protocols as well as their ties with users and applications. This information allows it to build profiles. For example, suppose a web server must run on port 80 for HTTP and port 443 for HTTPS. If a different port is used for HTTP or HTTPS communication, IDS will generate a warning.
IDS is also capable of detecting any suspicious activity in network traffic. For example, consider the case of a classic DoS attack. If a malicious actor tries to execute such an attack using “brute force”, even a firewall will identify and stop it. More ingenious malefactors can orchestrate a DDoS attack by sending packets from multiple different IP addresses. This one is harder to detect. IDS can analyze network traffic and prevent such incursions proactively.
Further evolution of IDS
IPS and IDPS
IPS, or Intrusion Prevention System, is the next step in the development of network security systems. In addition to reporting a threat, IPS takes action autonomously. Nowadays, “barebone” IPS tools are very rare. The market is offering a broad spectrum of Intrusion Detection and Prevention Systems (IDPS). These solutions detect attacks and implement predefined countermeasures: Pass, Alert, Drop, or Reject.
IDPS Rules
These systems allow a certain percentage of false negatives and false positives. To minimize false positives, IDPS allows you to set thresholds for responses – for example, define a value for the permissible increase in traffic on weekdays. The system administrator sets these values in the management console.
If the current network traffic is below the specified threshold, it will be allowed to pass through. If it exceeds the threshold, the console will trigger an alert. The packets matching the specified conditions, such as the presence of a malicious script, will be dropped. Also, the console can be configured to display threat severity levels.
Not only can a harmful packet be dropped, but it can also be rejected. In this scenario, both the sender and the recipient will get an appropriate notification. Furthermore, IDPS can send an email to the responsible security professional in case of a threat.
Each rule is combined with a follow-up action – for instance, stopping further analysis of the packet or rejecting it, plus adding a log entry about the event.
UTM – Unified Threat Management
UTM is a comprehensive toolkit that combines many small security modules. It is a kind of police station within the network. UTMs can be embodied as software or hardware and usually include IDS, IPS, a firewall, and often an antivirus, a proxy server, mail filters, and a VPN. This is a single system, so there’s no need to pay for each module separately. This way, you save both money and time installing and configuring it, which is the key advantage of such an all-in-one solution.
There’s also a drawback, though: UTM is a single point of protection, albeit a well-secured one. Attackers will only face one barrier rather than several layers of defense. A loophole in it will allow them to gain a foothold in the entire network.
NGFW and DPI
The emergence of the Next-Generation Firewall (NGFW) became one more milestone in the evolution of network security systems. While UTMs have been gaining momentum since 2009, the NGFW technology is booming nowadays. Even though it debuted in the late 2000s, it hadn’t created ripples in the security industry until recently.
One of the game-changing differences is that it incorporates the Deep Packet Inspection (DPI) feature. It also allows you to choose only the protection features you need right now. With DPI under its hood, NGFW analyzes the contents of traffic packets and intercepts ones that contain forbidden content.
Where to deploy the protection?
If you decide to install a modern protection instrument in your network, whether it’s IDS/IPS, UTM, or NGFW, an important question is where exactly to implement it. First of all, it depends on the type of system you choose. For example, deploying PIDS in front of the firewall doesn’t make sense, while NGFW can be placed anywhere.
An intrusion detection system can be installed in front of the firewall on the internal side of the network. In this case, IDS will not analyze all traffic, but only the data that the firewall didn’t block. This reduces the load on the system.
IDS can also be placed at the outer edge of the network, behind the firewall. In this case, it filters out unnecessary noise coming from the open Internet and also protects against the scourge of network mapping. When this deployment mode is in place, the system monitors network layers 4 (Transport Layer) through 7 (Application Layer) and uses signatures to spot threats. This setup also reduces the number of false positives.
Another common practice is to install multiple copies of an intrusion detection system in critical locations to protect the most important network assets. All in all, the installation location should be chosen according to your IDS requirements, budgets, and the size of your network.
This is a guest post. If you would like to share content on our blog and become a part of the community, please contact us here.
About the author
David Balaban is a guest author on our blog. He is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.