In a typical network scenario, a firewall is usually capable of keeping the bad guys out. While anti-virus (AV) software detects and stops most viruses, password protection systems take care of access-control, etc. Thus, most people in IT management naturally wonder, “Why do I need an IDS?”
The reasons are in how an IDS works. A firewall controls network traffic at the TCP/IP port level, by blocking access to unwanted ports. However, it keeps open those ports used by applications — for example, port 80 for HTTP traffic. Thus, all attacks over HTTP will not be stopped by the firewall. Similarly, AV systems are great at detecting viruses, but time has proven that they fail to protect the system from malware like adware or spyware. Passwords certainly provide the basic building blocks in security systems, but are prone to attack attempts; they could be stolen manually or electronically, or even be easily guessed, in the worst-case scenario.
Thus, having basic security only gives you the misleading feeling of being secure, rather than actual security. Modern attackers are experts who exploit software vulnerabilities by using technical tools, and devise methods to break into a network to achieve their goals. To handle smart attack attempts, an even smarter security mechanism is needed, which will proactively and intelligently keep an eagle’s eye on the network, and monitor and report incidents swiftly. IDSs or IPSs (Intrusion Protection Services) are solutions that encompass these requirements.
How does an IDS work?
An IDS is essentially a network-based solution, typically designed around a UNIX or Linux kernel. Please refer to Figure 1, which depicts how an IDS device is incorporated in a network. While other forms of defence such as routers and firewalls are required in a network, IDSs act as a complementary means to further strengthen security.
From the installation point of view, the IDS device is usually situated in a demilitarised zone (DMZ), whereby the basic level of protection is taken care of by routers and firewalls, followed by a further level of intelligent intrusion detection. It comes equipped with network interfaces capable of handling heavy network traffic, and configured to work in a promiscuous mode, which enable it to sniff the entire network traffic without causing disruption or slow-downs.
It monitors all network packets right from OSI Layer 2 (data) to Layer 7 (applications), and stores this vast amount of information in its database. It also assimilates that information by applying intelligence to it, to take security decisions.
Intrusion detection mainly focuses on the intention of an attack, rather than just on the methodology. This is made possible by running multiple built-in intelligent algorithms called statistical anomaly-based detection logic. For example, instead of only looking for a virus signature, an IDS device checks network packets and establishes a relationship between the information in the packets, and its potential impact on the network from the security viewpoint. This approach helps the IDS to minimise false alarms.
As another example, an IDS can be configured to look for distributed-denial-of-service (DDoS) attacks on a website. While all HTTP traffic coming to the Web server may be legitimate, it takes extra electronic intelligence to check if the traffic is really legitimate, or part of a possible attack. An IDS does this by storing all requests, and using its intelligence to check each network packet, Web request, XML and other forms of Web data, and performing historic analysis before the request reaches the Web server. Due to this difference in the approach to detection, IDSs are “must-have” components in modern network security infrastructures.
What do I need in an IDS?
It is important to remember that the security in a network is only as good as the most insecure infrastructure component in that network. For example, if a desktop is not patched, it can become a potential node where viruses, trojans and malware can hide. Hence, the IDS should be installed, configured, and used to look at all network segments in a corporate network, from the Internet-facing DMZ to the internal LAN. The typical expectations from an IDS are:
- To detect attacks originating from a program or a person
- To record attack patterns to continuously improve detection logics
- Detect attacks from Layer 2 to Layer 7 (data link to application)
- Alert and report using a powerful dashboard and escalation mechanisms
- Enable information warehousing to store all previous attacks for future forensic evidence
Some advanced IDS devices perform vulnerability analysis based on historic data, to see recurring culprits; file integrity checks to ensure that security is being imposed to the most granular level; and also have a management console, to manage globally dispersed IDS devices from a single administration point.
On the other hand, an IPS not only detects attacks, but is also capable of stopping them, and providing advanced alert facilities. Almost all devices sold in the market today are IPS devices, rather than just being detection systems.
Configuring an IDS/IPS device
If an IDS/IPS device is being installed in a network for the first time, it is always advisable to configure it initially in “alert-only” mode, which means it should not take any proactive actions on attacks that it detects. This is essential for the network administrator to set security policies as needed and get used to the device, to understand how aggressively the IPS system can raise alerts about a situation, and whether or not the device runs smoothly in that network without causing any disruptions.
Once the network admin reaches a better comfort level, the appliance can be configured to start protecting the network from attacks, but with all the alert levels turned on. This gives more insight into how the device responds to each attack, and helps understand which alarms are false, and which are not.
Since each network scenario is different, the interpretation of an attack, and its severity, may vary. The network admin can then decide whether or not to tune alert levels further, to report incidents
If available, an IDS/IPS device can be hooked up to a CRM system, whereby a trouble ticket could be generated and escalated based on the severity of the attack situation. With a proper SLA policy and solution design, an end-to-end security response system can be established. The built-in reporting functionality can be customised to produce detailed technical reports for admin teams, and high-level security reports for the IT management.
Various commercial IDS/IPS products
Since security is of paramount importance in a corporate IT infrastructure, there are a lot of commercial offerings from various vendors in the intrusion detection and protection space. While most products carry a high price tag, there are moderately priced products, as well as open source solutions for those interested. Let’s take a look at a few popular commercial products.
IBM Proventia: This is a suite of security solutions, which also offers a NIPS device (network intrusion protection service) at its core. This device is robust and ideal for very large and complex networks. Its vast feature set helps network admins detect common as well as the most recent vulnerabilities. Proventia comes with a zero-day patching mechanism, whereby a network administrator can create a defence policy against a newly published attack, before the vulnerable vendor product releases a formally tested official patch. Proventia can be incorporated along with other IBM ISS offerings such as patch management, application scanning, etc., to form a complete security solution.
Juniper Networks IDP: Since Juniper Networks established itself as a provider of technically advanced high-end networking products, it introduced its own IDP solutions in the form of hardware appliances. A few powerful features, such as protocol and traffic anomaly detection, and zero-day worm protection are incorporated in these solutions, which make them suitable for high-performance networks.
Cisco Secure IDS and McAfee Intrushield are also examples of enterprise-level IDS/IPS appliances.
All the above devices are available in different models, categorised based on their network throughput, the number of network ports, and feature sets. While those mentioned are meant for large-scale networks of big corporations, there are models available for medium-scale networks with lower network volumes, and that too, without compromising on the feature sets.
Now let’s look at some open source solutions.
Open source intrusion protection solutions
Snort: With a large installation base, Snort is the most popular open source IDS/IPS system available. It is capable of performing real-time protocol analysis and content search to detect malware, similar to a commercial IDS system. Snort supports a wide range of operating systems from XP to Linux, AIX, Solaris, etc., and has its own rule-based language to design intrusion-detection policies and protective actions.
OSSEC: Falling in the same category as Snort, OSSEC is another host-based open source project that addresses intrusion-protection needs. It comes with ample documentation, and supports multiple operating systems. A network administrator can download and install OSSEC free of cost to try it out and test it, and can purchase commercial support for the product from Trend Micro.
Besides the above products, there are a few other offerings available in the open source world. Recently, the US Department of Homeland Security and the Open Information Security Foundation worked with multiple security vendors to come up with an open source engine called Suricata. While the skepticism about open source software still persists, firms and corporations who are serious about cyber security have put the topic on the top of their IT agenda.
Cyber security, like any other form of security, is a process of continuous improvement. As more and more countries in the world connect to the Internet, the resultant increase in awareness is going to bring benefits, as well as its own set of problems. Eventually IDS/IPS devices are going to be a de-facto standard component in any IT infrastructure.
Configuring IPS devices is an art, and needs a deep understanding of networking, combined with real-time experience. As mentioned earlier, there are multiple products and solutions available in the market. If a network lacks an IPS, it should be a top priority for the IT management team to stop attacks before they occur.