Intrusion Prevention and Detection: the Battle lines
Creating the best security solution is definitely an exercise where the sum is greater than the parts. This is especially true in the area of network security. In this day and age of multifaceted, constantly morphing cyber-attacks, no single solution will keep the enemy at bay. Rather, the best security infrastructure is a multilayered one that utilizes the strengths of each device in the value chain.
The challenge for the keepers of the network security infrastructure–and budget–is that attacks are becoming more sophisticated and the perpetrators more elusive. As result, the layers of security needed to combat them continue to increase in complexity and capability. The key to effective intrusion protection is understanding the right tools for each layer and the capabilities that are integral to keeping pace with rapidly escalating security demands.
Two particular areas of considerable focus are intrusion detection systems (IDS) and intrusion prevention systems (IPS). While certain features may overlap, IDS and IPS serve two distinct functions and can operate as stand-alone solutions. At the same time, their distinct natures and functionality also mean that the most secure network infrastructure should use both devices in conjunction. Simply put, neither can take the place of the other, and in most cases, both are essential to optimize network security.
The Enemy Without (and Within)
Malicious attacks are on the increase, and the ways and means of attacking enterprise networks are far more sophisticated than could possibly have been imagined a few short years ago. Whereas high-end firewalls and anti-virus applications were once capable enough to handle attacks, the landscape has changed considerably. Viruses, worms and Trojans are becoming a part of the everyday security vocabulary, and companies are finding themselves playing catch-up with latest variations.
The most recent “flavors of the month”–denial of service (DOS) attacks and more recently, distributed denial of service (DDOS)–have upped the network security ante considerably. In particular, the latter can easily slip through firewalls or other network monitoring devices, since attacks are generated from multiple computers (up to hundreds of thousands in some cases). Rather than one computer generating 100,000 requests (which can be picked up easily by the more capable network protection systems), each computer in a DDOS “Zombie network” may only generate 10—an acceptable threshold that most security equipment would not detect until it is too late.
Added to the dilemma is the fact that more than 70 percent of attacks are generated internally, so firewall protection can only help with a relatively small percentage of the problem. Networking infrastructures therefore must have the capabilities to monitor, detect and respond to attacks from all directions.
Time is another factor that impacts network security. Many installed detection systems will monitor networks and generate reports on a scheduled basis. However, many were developed at a time when a 12-hour time lag between event and response was usually manageable. This is no longer acceptable. The time between detection of a virus or vulnerability exploit and a worldwide epidemic used to be days. Now it can be seconds. One well-known virus spread worldwide from first detection in less than 17 seconds.
A third issue is more administrative than technical. Those in charge of security and networking within an organization often work counter to each other’s interests. Security’s role is to protect the network at all costs, so security professionals are more inclined to shut down traffic when a threat is imminent. For many organizations that rely on Internet traffic for revenue and mission-critical applications, this is impossible. The networking division’s mandate, on the other hand, is to ensure 24×7 availability and high throughput. They are interested in a security infrastructure that can allow traffic to continue while the crisis is being handled behind the scenes. Addressing the needs of both worlds requires a highly evolved networking infrastructure that is sophisticated enough to detect problems before they start and isolate threats if and when they do occur.
With the proper deployment of IDS and IPS–among other devices–many of these challenges can be overcome. New capabilities provide sophisticated detection of anomalies, faster response times, enhanced security and ongoing protection without increasing network latency. It is critical that organizations understand how these devices operate and how they are best deployed to gain maximum benefits.
As mentioned, one is meant to take on the role of the other, and both are essential to security systems. Both offer protection beyond the firewall, but they are significantly different in their behavior. IDS, for example, is reactive, while IPS is proactive.
About Intrusion Detection Systems (IDS)
An IDS acts as a virtual safety net that in most installations functions after traffic has gone through gateways, encryption, authentication, proxies, etc. An IDS therefore serves as a last chance for an enterprise to be notified of a potential attack.
An IDS works as a 24×7 monitoring device that watches network traffic and flags suspected malicious activities. As a reactive device, it merely flags suspicious activity and generates a report. It does nothing to stop traffic through the system. The key benefit is that it has the ability to flag traffic that looks even slightly suspicious and sends a notification for investigation. An IDS could be compared to a surveillance camera, watching all that transpires and sending alarms to observers. Once the incident is flagged, it is logged and followed up by automated processing or people-based responses, depending on how the device is implemented.
An IDS essentially sits beside the network (i.e., not in-line) to watch traffic as it goes by. Detection methods used for pinpointing suspected malicious activities include pattern matching of algorithms to verify signatures, stateful matching (a more sophisticated form of signature matching) and/or protocol analysis. Since IDS products are deployed offline, they cannot cause network interruptions.
While they are essential tools for networking security, there are a number of limitations to IDS products that need to be clarified. First, they only detect, but don’t prevent attacks. Generally, they are powerless to stop or slow down an attack. Second, they do require careful tuning to network conditions to be effective. If not tuned properly, they can generate a high number of false positives, since the IDS cannot differentiate between normal network traffic and an attack. Even when the IDS is finely tuned, false positives have been reported in the 30 percent to 40 percent range. As a result, IDS products need continual attention from a team of knowledgeable and skilled technicians to monitor the logs and decide upon the validity of the alerts—a time-consuming and costly process. One vendor reported more than 21 million alarms in a three-month period. Of those, only 1,482 incidents actually required remediation. IDS solutions also must be placed at the appropriate points at all entryways, be properly configured and be constantly updated, another time-consuming and cumbersome task.
That being said, IDS products have evolved to include prevention capabilities that include dropping attacker packets before they reach their intended target and eliminating false positives through multiple detection methods.
IDS Over Segregated Networks
A particular technology development of interest in the IDS area is the concept of a load balancer. This very new concept is an effective means for organizations with segregated networks to implement IDS capabilities. A load balancer works much like a traffic manager to allow communication