Intrusion Detection and Prevention
Security is all about the deployment of multiple layers of defense. Firewall systems are the first layer of defense and are typically deployed at the perimeter of the organization. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are the next layers of defense. These are systems that are always on with the objective of “detecting” and “preventing” threats to the enterprise. Security practitioners need to review security policies to determine the role IDS/IPS can play in strengthening their defenses.
Intrusion Detection Systems (IDS)
Intrusion detection is about monitoring and identifying attempts made for unauthorized access into an organization’s infrastructure. IDS are designed to detect “threats” and take appropriate action. These threats, referred to as “events,” are typically logged, and an alert is generated to enable a response.
There are two types of IDS: host-based IDS and network-based IDS. Host-based IDS are installed on the host systems that they are intended to monitor. This system may be a server, workstation or other device such as a router. The product typically runs as a process or a service, and has the capability to sniff network traffic that is intended for the host system. These IDS systems check the host against hundreds of “threat signatures” to make sure the system is safe from previously identified threats. Vendors include Cisco, Tripwire, Internet Security Systems (ISS) and Microsoft.
Network-based IDS capture and analyze packets on the wire. While host-based IDS are designed to protect a single system, network-based IDS are built to protect systems on the network. For an IDS to effectively monitor a network, there must be at least one IDS device per network segment. This device may be a fully operational IDS, or it may just be a sensor or a tap. These systems capture packets and pass them on to the IDS console for inspection. Taps and sensors typically do not have an IP address and are thus invisible to intruders. Network-based IDS solutions are typically deployed at a choke point on the perimeter of the network as well as on critical network segments where servers are located. Vendors with solutions for network-based IDS include Internet Security Systems, Symantec and Cisco. Snort is another tool that is available. It is an open-source network-based IDS. It is very popular and deployed in numerous environments today, though it is not the easiest product to learn, install and configure. On the positive side, it supports hundreds of signature-detection rules covering exploits in many areas, including Windows, Linux, port scans and back doors.
Intrusion Prevention Systems (IPS)
A new generation of intrusion detection systems are being positioned as intrusion prevention systems (IPS). IPS have the capability to either stop the attack or interact with an external system to eliminate the threat. Intrusion prevention controls involve real-time countermeasures taken against specific, active threats. Examples include activities such as sending scripted commands to a firewall system to deny all in-bound traffic from a specific suspected attacker’s IP address. Another example would be to communicate with a virus scanner to clean an infected file. An IPS solution is not a passive device that detects evidence of intrusion, but one that is active and can perform actions to protect against attacks when they are detected.
A term one comes across with IPS is “inline.” Inline IDS/IPS systems have the capability to filter real-time traffic. This allows for action such as dropping packets, esetting connections or routing suspicious traffic to quarantined areas for analysis.
IDS solutions can produce false alarms that may result in inaccurate information being distributed. This might be due either to poor configuration choices or to limited capabilities. Further, it is typical of products in these areas to require expertise as well as time and effort for management and maintenance. For example, sensors will need to be kept updated.
Also, in the case of inline systems, they do potentially impact network performance, since each packet is checked against thousands of pattern comparisons. You also have the challenge of knowing what to do if the device fails.
These are all challenges that security practitioners will need to review as they establish their intrusion detection and prevention requirements.
Getting Started: Developing an Incident Response Policy
I recommend that the organization develop an incident response policy to establish priorities and process recommendations for threats–or incidents– that are detected.
For example, the following guidance may be included in an organization’s information security policy:
The organization will maintain procedures for identifying security incidents. Incidents will be classified as “serious” or “non-serious.” Non-serious incidents generally have the following characteristics:
- It is determined that there was no malicious intent, or the attack was not directed specifically at the organization associated with the incident.
- It is determined that no sensitive information was used, disclosed or damaged in an unauthorized manner.
Serious incidents generally have the following characteristics:
- It is determined that there was malicious intent and/or an attack was directed specifically at the organization.
- It is determined that sensitive information may have been used, disclosed or damaged in an unauthorized manner.
All workforce members of the organization will report any potential security incident that they become aware of or suspect to the security officer. A security incident is any breach of security policy or any activity that could potentially put sensitive information at risk of unauthorized use, disclosure or modification.
The organization will maintain procedures for responding to serious and non-serious security incidents in order to prevent the escalation of the incident and to prevent future incidents of a similar nature.
Incidents characterized as serious by the security officer will be responded to immediately and reported to all upper-level management.
The organization will attempt to mitigate any harmful effects, when possible, where a security incident affects customer information.
Case Study: The NetScreen Intrusion Detection and Prevention Product
The NetScreen Intrusion Detection and Prevention (NetScreen-IDP) is an example of technology that provides inline attack protection against worms, viruses and Trojans as well as stops attacks on the network. The product delivers a detailed, on-demand view of both network- and application-level data to learn about network activities. This data is translated into comprehensive network security policies using a rule-based management GUI. The product also includes built-in tools to correlate data during any phase of an attack. The NetScreen-IDP also identifies rogue servers and applications that may have been added to the network without authorization. The product supports attack reporting and forensics capability to capture all critical information for incident investigation. NetScreen was acquired by Juniper Networks in April 2004. Visit www.juniper.net/ products/intrusion for more information.
I cannot envision an organization that does not deploy IDS/IDP solutions. Just like a firewall system, IDS/IDP solutions are vital for defending today’s organizations. These systems give you more insight on the types of attacks that are launched on your business. They give you real-time capabilities to protect sensitive information and