While threat management remains a top priority, it’s more important than ever for cash-strapped security professionals to fully understand the functionality of intrusion defense tools in order to make good purchasing decisions.
Intrusion Defense Systems (IDS) and Intrusion Prevention Systems (IPS) are a particularly confusing area because the products are so similar, the vendors are all the same, and even the acronyms are hard to tell apart. We’ll explain each one’s capabilities and how to decide if you need one or both technologies.
Differentiate between IDS and IPS
An IPS is not the same as an IDS. However, the technology you use to detect security issues in an IDS is very similar to the technology you use to prevent security issues in an IPS.
It’s important to start by understanding that IDS and IPS are very, very different tools. Even though they have a common basis, they fit into the network in different places, have different functions and solve different problems.
An IPS is better compared to a firewall. In a typical corporate firewall, you will have a number of rules: maybe a hundred, maybe a thousand. Most of these rules are “pass”: “allow traffic to pass” rules. So the firewall picks up a packet over the wire and starts with its rules, looking for a rule that says “allow this packet to pass.” If it comes to the end of the list and there is no rule saying “allow this packet to pass”, then there is one last “deny” rule: “drop everything else”. So, if there is no reason to forward the traffic, the firewall drops it.
And IPS is like that, but backwards: it has rules, maybe hundreds, maybe thousands. Most of these rules are “deny”: “block this known security issue” rules. When a packet appears at the IPS, the IPS goes through its list of rules from top to bottom, looking for a reason to drop the packet. At the end of the list, however, is an implicit “pass” rule: “allow this packet to pass”. So, if there is no reason to drop the traffic, the IPS traverses it.
Firewalls and IPS are control devices. They are online between two networks and control the traffic passing through them. This means the IPS is on the political side of your safe house. It will implement or enforce a particular policy on traffic that is not allowed.
The obvious affinity of firewalls and IPS from a topological point of view led us to the world of UTM, where an IPS is integrated into the firewall. UTMs allow you to have both security services (blocking security threats, allowing known good traffic) in a single device. We will talk later about the ultimate compression of IPS and firewall, the UTM (Unified Threat Management) firewall.
The main reason for having an IPS is to block known attacks on a network. When there is a window of time between when an exploit is announced and you have the time or opportunity to patch your systems, an IPS is a great way to quickly block known attacks, especially those using a common or well-known exploit tool.
Of course, IPS can provide other services. As product vendors seek to differentiate themselves, IPS have become tools for rate limiting (which is also useful in denial of service mitigation), policy enforcement tools, protection against data breaches and behavioral anomaly detection tools. In all cases, however, the key function of IPS is a control function.
What is an IDS?
If an IPS is a control tool, then an IDS is a visibility tool. Intrusion detection systems sit on the side of the network, monitoring traffic at many different points and providing visibility into the security posture of the network. A good analogy is to compare an IDS with a protocol analyzer. A protocol analyzer is a tool that a network engineer uses to take a deep dive into the network and see what’s going on, sometimes in excruciating detail. An IDS is a “protocol analyzer” for the security engineer. IDS takes a deep dive into the network and sees what’s going on from a security perspective.
In the hands of a security analyst, IDS becomes a window into the network. The information provided by IDS will help security and network management teams to first discover:
- Security policy violations, such as systems or users running applications against the policy
- Infections, such as viruses or Trojans that partially or fully control internal systems, using them to spread infection and attack other systems
- Information leaks, such as running spyware and keyloggers, as well as accidental information leaks by valid users
- Configuration errors, such as applications or systems with incorrect security settings or misconfiguration of the network that impairs performance, as well as improperly configured firewalls where the rule set does not match the policy
- Unauthorized clients and servers, including network threatening server applications such as Dhcp or DNS service, as well as unauthorized applications such as network analysis tools or an insecure remote desktop.
This has increased visibility in the network security posture is what characterizes an IDS, and which differentiates the visibility function of an IDS from the control function of an IPS.
Of course, since IDS and IPS have the word “intrusion” at the beginning of their acronym, you might be wondering why I didn’t mention “intrusion” as part of the function of IDS or IPS. This is in part because the word “intrusion” is so vague that it’s difficult to know what an intrusion is. Certainly, someone who actively tries to break into a network is an intruder. But is a PC infected with a virus an “intrusion?” Is someone doing network discovery an intruder … or just someone doing research? What if a malicious actor is legitimately present on the network – say, a dishonest employee – are their legitimate and illegitimate actions intrusions or something else?
The most important reason the word “intrusion” is not included in the description for IDS and IPS is that they are not very good at catching real intruders. An IPS will block known attacks very well, but most of these attacks are either network discoveries or automated scans, seeking or other systems to infect – hardly “intrusions” in the classic sense of the term. The best intrusion prevention system in this case is the firewall, which doesn’t let inappropriate traffic into the network in the first place.
It is the misuse of the word “intrusion” in reference to these visibility and control technologies that has caused such confusion and false expectations among the personnel of companies that have deployed IDS or IPS.
Yes, an IDS will detect real intrusions. Yes, an IPS will block real intrusions. But these products do much more than that: they offer better control and greater visibility, which is where their true value lies.
So what do I buy?
If all the products were either an IDS or an IPS, then the answer to the “who should I buy” question would be simple: buy an IDS if you want visibility, and buy an IPS if you want control. But the IPS and IDS vendors don’t make it easy for us, as they have developed and launched hybrid products that combine IDS visibility and IPS control.
For most businesses, especially those that do not yet have an IPS or IDS, the correct answer is “buy an IPS”. A visibility tool only gives you value if you have the time to look at what it is telling you. With tight budgets and overworked staff, the kind of senior security engineer it takes to really get the most from an IDS is rare. Buying a product that no one else is looking at won’t do you much good. Without regular and disciplined use of the visibility aspects of an IDS, the only real effect you will see is an increase in utility bills.
This does not mean that an IPS is a “set it and forget it” type of device. To get the most out of an IPS, you should set it up to match your own network and your combination of applications and systems. If you don’t, you’ll either have a high false positive rate, which can interrupt legitimate traffic, or you’ll miss out on a lot of attacks, in which case the IPS isn’t giving you much value. An IPS that never has a false positive is probably not doing a good job of protecting your network.
However, you will get the most out of an IPS without investing a lot of time in managing and tuning it, and without analyzing what it tells you about your network. This is because the IPS will be there, providing additional defenses and helping to protect you from common mistakes. Since most security issues are the result of human error rather than targeted attacks, IPS is an exceptional way to bring defense-in-depth strategy to network security.
More IPS providers, because of their IDS heritage, sell products that combine both IPS and IDS functions. They have the powerful malware and attack detection engine needed to identify and block attacks, but they also have additional rules and tools designed to improve network visibility.
When considering IPS, IDS or Combination products, remember to focus on your main requirement. If you are looking for additional control, the most important part of the image is the IPS detection engine. IPSs must be able to detect and block attacks quickly, at very high speeds, and without degrading network performance, throughput, or latency.
If you are looking for visibility, network analytics, and analytics capabilities, the most important part of the picture is the IDS Management Console. You must be able to navigate the information provided by IDS quickly and naturally to gain visibility into the network and security. While the detection engine is important, it is not as important as the management system. Without an efficient way to extract information from the IDS – and this is as much your training as the management console you are installing – you won’t see much value from an IDS.