Intrusion Detection and Prevention System (IDS/IPS) explained

Intrusion Detection Engine (IDE) v Intrusion Detection System explained

 

What is intrusion?
The Cambridge dictionary was chosen for its conciseness and here is what it says;

an occasion when someone (or something) goes into a place or situation where they are not wanted or expected to be

What is detection?
According to Oxford English Dictionary:

The action or process of identifying the presence of something concealed

What is prevention?
We go back to the Cambridge Dictionary:

the act of stopping something from happening or of stopping someone from doing something

How to describe a system?
Here is the one description appropriate to our subject.

a set of things working together as parts of a mechanism or an interconnecting network

As a reference to Intrusion Detection and Prevention Systems, (IDS/IPS); this doc will refer to them as IPS going forward for sake of brevity.

Putting together all of the words above and playing with the order, I am going to put together a complete description of IPS:

“an IPS is a set of things working together to identify the presence of an occasion when someone or something goes into (targets) a place (computers, application servers, web sites etc) or situation where they are not wanted or expected to be, and takes action to stop something (that you do not allow) from happening or stopping someone ( a hacker, a criminal, an innocent employee, a disgruntled employee) from doing something ( stealing data, transferring files they shouldn’t, creating Administrator accounts, accessing wrong applications, injecting undesirable code into databases).”

Now that we understand IPS basics, let us look at its components or the “set of things”. It is the completeness and quality of those “set of things” that will determine the actual effectiveness of an IPS. The “set of things” or the system itself comprises as a minimum of;

  • Intrusion Detection Engine(IDE)
  • Rules – set of patterns with desired actions for detection
  • A management(graphical) front end
  • A rule management software
  • An alerting mechanism
  • A suitable hardware(pc, server, laptop etc)

All of the above put together will work happily as an IPS. Depending on the vendor, the IDE may be proprietary or open source. The main open source IDEs are SNORT, Suricata and Bro. These are generally and wrongly referred to as IDS/IPS. They are not. They are merely one part of the total system. They are important part but so are all the others. Think about it as an airplane or a car. They each have an engine but you could not travel in the engine alone. An IPS is same and it requires all of the components listed above to function. The detail and accuracy of integration of those components will determine the usefulness of an IPS.

I get it.... please take me to the Free Trial

A number of vendors integrate a mix of open source and proprietary components, installing them on almost a standard, off the shelf hardware and marketing these as appliances. The concept at the face of it seems great! We have all seen appliances on the market that may be purchased for specific IPS requirements. You specify the data throughput (the speed of data flowing through), and the number of appliances required and you’re all set.

Appliances however, have their limitations. You have to understand the exact volume of traffic in advance, you have to know how many points on your network will need IPS protection. Congruently, your flexibility in upgrading an appliance based on increased traffic demand is likely very limited. Your organization most likely will wind up paying lots more for the upgraded hardware appliances and associated licensure.

The alternative to purchasing a pre-fabricated appliance is to build your own appliance. This is where Software based IPS comes into play. With IPS Software you buy the software and install it on any hardware of your choice. This offers you the flexibility to build any supported server into an appliance. Depending upon the software licensing, you can build as many appliances as necessary without having to incur additional charges. The Software may be installed on a server, a laptop, in cloud, on site or on a Virtual Machine. The Software IPS offers further flexibility for upgrading. If you are not happy with the throughput of your current IPS system, you can simply replace the system and reinstall or add faster network cards without any additional costs.

So why would you choose an Appliance against IPS software? The only reason I can see is that the software is pre-installed for you on an appliance. But when you consider all of the limitations, is that point alone enough to buy appliances? It may be if installing a software is very difficult. In the case of CounterSnipe we have created a 3 step installation process that is common across all types of installations. Furthermore, CounterSnipe IPS offers all of the benefits and features of those associated with a good Software IPS.

An IPS is used to Detect, Identify, and take action (stop, alert, allow etc.) on any activity within your IT infrastructure that you select. Therefore you do not simply use IPS to protect from the outside world, you may choose to (and should use IPS), for internal “zero trust” networks too because intrusion can be in any form and from any source.

How can we make an IPS more effective? As outlined above, an IPS is monitoring activity and deciding if you be notified know about it or if it should simply take action. The first thing that will help an IPS do that is if it knew what exactly what is to be guarded. Not what it’s guarding against but what is within your infrastructure that needs to be guarded. CounterSnipe does that for you; in most generic terms, it provides you with comprehensive visibility into your infrastructure. I prefer the term “Network Knowledge”. I am sure many others do too, so I am in no way staking claim to the terminology.

In addition to all the basic IPS functionalities, Network Knowledge comes standard with CounterSnipe IPS. When you plug a CounterSnipe IPS into your infrastructure, it will automatically detect all of the IPs, MACs, applications, listening TCP ports, closed ports (in other words pcs, laptops, servers and the level of their exposure to possible exploits) on your network. Therefore the starting point in protecting one organization will become different from that of another. A business with 1000 nodes may not have the same set of applications and servers as one with 100.000 nodes.

By equipping itself with the Network Knowledge, an IPS will be able to determine more accurately the effects of a specific vulnerability or threat on your network. CounterSnipe IPS uses Network Knowledge to determine following information;

  • Assets – IP and MAC address
  • Key Asset Status – ports and applications
  • New assets
  • Missing assets
  • Anomalous behaviour

IPS events are then correlated with the network knowledge in order to deliver an accurate and real time status of your network security. When you receive an email alert, you do so because there is a real issue.

Deploying or deciding where to deploy an IPS adds further complications. If you are 100% sure about the expansion plans of your business security, then you may decide to purchase an appropriately sized IPS solution as an appliance. However, if you want the flexibility of being able to add additional IPS instances or increase the processing power of an existing one on the fly to accommodate increased throughput then perhaps a software IPS is a better fit for your organization. More importantly, if scalability and flexibility is important you should have a comprehensive no limits IPS security provided by a software IPS solution like CounterSnipe.  CounterSnipe is available for POCs in your own environment for zero cost. Visit http://countersnipe.com/index.php/trial-software to start your eval.

 Created: Amar Rathore This email address is being protected from spambots. You need JavaScript enabled to view it.

Sincere thanks to Chris Boley for proof reading and contributions.

Copyright: CounterSnipe Systems LLC

Comprehensive Health Services Logo