Intrusion detection and prevention technology has remained a mainstay at the network perimeter, though predicted to be a dead technology by security experts five to seven years ago. The IPS market is thriving, and enterprises are finding value and regulatory compliance in the platform used to stop malicious attacks at the perimeter. While several firewall technologies are integrating intrusion prevention into their offerings, there has not been a complete shift to this implementation. As with other security areas, there are multiple perspectives that drive technology theory and practice. Typically, the shift to an integrated solution becomes more of an consideration when the network segments requiring protection increase to the extent that it is simply cost prohibitive to deploy standalone intrusion prevention.
Larger enterprises seem to be interested in this capability to reduce cost on a grand scale. Smaller enterprises look at the integrated solutions for reduction in operational expense with some financial savings. A primary reason for keeping the technologies separate is the separation of duties where network and security teams may jointly manage technologies in the network perimeter infrastructure. It is a clear separation when the devices are homogeneous solutions that have a clear management ownership by one team or the other
Both intrusion detection and prevention continue to be deployed at various points within the enterprise network, but the shift to purely threat prevention has become a standard. There are a few pure intrusion detection technologies available, but to provide detection on an IPS is a simple flip of a switch to not mitigate a detected attack. In some cases, the desire not to mitigate may be driven by the sensitivity of the environment monitored, where a false-positive block may be detrimental to the enterprise. Simply knowing that an attack is occurring and the benefit of traffic analysis has value on internal segments, though not typically deployed in this manner at the network perimeter. These two approaches of detection versus detection and mitigation are covered in the following sections.
Intrusion detection is simply a method for detecting an attack but taking no action, such as blocking the malicious traffic. For the most part, this has been abandoned at the network perimeter when a breach is undesirable. Intrusion detection seems to still have a significant implementation in the internal network server segments where custom applications may be blocked due to non-adherence to a protocol RFC. Typically what happens is a developer uses a TCP port in an application that is already used for something malicious like a Trojan, therefore triggering the IDS; in this case, detection versus mitigation would be desired to reduce the impact on the enterprise. Intrusion detection has all the detection logic of intrusion prevention but without the ability to actively mitigate a threat.
Another benefit of deploying intrusion detection in the internal network is to passively observe the behaviors of internal network users. Significant intelligence can be gathered by monitoring the network activities of internal users that can lead to a better indication of areas that need to be secured. This knowledge can also trigger an investigation into internal malicious actors and lead to additional targeted monitoring of the user. An investigation can determine whether the behavior is intentional or if malware is running on the user's system. This can highlight potential areas of weakness and the fact that an internal user does not necessarily imply trustworthiness.
Intrusion prevention is similar to intrusion detection, but has the capability to disrupt and mitigate malicious traffic by blocking and other methods. Using an IPS in front of an external firewall is a great way to detect and block port scanning that may otherwise use up the available connections on the perimeter firewall. Many IPS devices have purposefully built denial of service mitigation technology, which is ideal to protect Internet accessible infrastructure including systems and network equipment.
Intrusion prevention can be deployed at the network perimeter with greater confidence that legitimate traffic will not be impacted due to the limited number of services that should be Internet accessible. However, IPS should be considered for implementation in the internal network to protect the most critical assets within the organization. Because IPS technology is looking for patterns, legitimate network communication may be impacted due to non-compliant coding practices and seemingly odd network operating system behaviors. Some organizations will opt to just detect and alert. This method may prove to be inefficient in scenarios where there is a lack of constant monitoring, and an attack may go unnoticed.
Today's IDS/IPS devices use a combination of three methods to detect and mitigate attacks; behavior, anomaly, and signature, to gain most of the benefits of packet analysis. Though it is rare to find a detection method without the others, initial IDS/IPS systems were specialized in one method or another. Additionally, attacks are not always as simple as protocol misuse or a known Trojan signature. As the attacks have become advanced, there is debate on the overall advantage of the IDS/IPS implementation and it is enough to protect the network. Though it can be argued that advanced malware has ended this debate, a defense in-depth strategy is best including IDS/IPS as an essential network protection mechanism.
Behavioral analysis takes some intelligence from the platform to first gain an understanding of how the network "normally" operates, what systems communicate with other systems, how they communicate, and how much. Any deviation from this baseline becomes an outlier and triggers the IDS/IPS based on this behavioral deviation. This method can be very effective for detection of a system compromise at both the network perimeter and internal critical network segments. If a system is compromised and, for example, the connection rates exceed what is common for the system, the IDS/IPS will detect the outlier traffic and alert or mitigate. Typically, behavioral analysis alone is not sufficient to determine if there is an imminent threat. However, this information in combination with protocol anomaly and signature-based detection, creates a solid approach to attack detection and mitigation.
The primary caveat with this technology is the mistake of baselining malicious traffic within standard network traffic as "normal". This common and almost unavoidable mistake requires the other detection methods to bring real value. If and only if "normal" network traffic, which is more than likely a combination of good and bad anomaly traffic, exceeds a defined threshold will this detection method trigger an alert. This weakness is the primary reason to leverage other detection methods to augment network behavioral analysis.
Understanding the RFC specifications for every protocol is a daunting task, but knowing when a communication is violating how a protocol is supposed to be used can be a great indicator that something is wrong. It is common for malware writers to attempt to masquerade their application as a legitimate application that would have access to the network and preferably be permitted outbound from the protected network.
To evade detection by IDS/IPS and firewalls, this method is commonly employed by chat clients, bit torrent, and other P2P applications. These examples are typically violations of the information security and or acceptable use policies and not permitted, so developers have written the application to look harmless and appear like other typical Internet traffic on the network.
Anomaly detection at the network perimeter can be extremely effective in analyzing inbound HTTP requests where the protocol is correct, but there has been some manipulation to the packet in an effort to identify vulnerabilities in the web application. An anomaly-based IDS/IPS would detect or mitigate this attempt while saving cycles on firewalls and systems serving the web application.
Signature-based detection has been a consistent method to detect known malicious attacks. The IDS/IPS looks for known patterns in the packets being inspected. When a signature or pattern match is found, a predetermined action is taken. The primary annoyance with this method is the high rate of false positives, which can be the difference in effective security monitoring or status quo. Tuning IDS/IPS is absolutely essential. Otherwise, compromise will be difficult to detect, because it will be amongst all the garbage-in-garbage-out traffic and alerts.
While signature-based detection may not be most effective, it will detect the most common, generic attacks. Without the ability to inspect encrypted payloads, it proves mostly ineffective for the more sophisticated attacks. With a majority of attacks targeted at the network being Distributed Denial of Service (DDoS) and SQL injection (SQLi), signature-based IPS can be very effective in mitigating these attacks and continue to provide value at the network perimeter.