What are the main function of IDS?

An Intrusion Detection System (IDS) is a network security technology originally built for detecting vulnerability exploits against a target application or computer. Intrusion Prevention Systems (IPS) extended IDS solutions by adding the ability to block threats in addition to detecting them and has become the dominant deployment option for IDS/IPS technologies. This article will elaborate on the configuration and functions that define the IDS deployment.

An IDS needs only to detect threats and as such is placed out-of-band on the network infrastructure, meaning that it is not in the true real-time communication path between the sender and receiver of information. Rather, IDS solutions will often take advantage of a TAP or SPAN port to analyze a copy of the inline traffic stream (and thus ensuring that IDS does not impact inline network performance).

IDS was originally developed this way because at the time the depth of analysis required for intrusion detection could not be performed at a speed that could keep pace with components on the direct communications path of the network infrastructure.

As explained, the IDS is also a listen-only device. The IDS monitors traffic and reports its results to an administrator, but cannot automatically take action to prevent a detected exploit from taking over the system. Attackers are capable of exploiting vulnerabilities very quickly once they enter the network, rendering the IDS an inadequate deployment for prevention device.

The following table summarizes the differences in technology intrinsic to IPS and the IDS deployment:

	Intrusion Prevention System	IDS Deployment
Placement in Network Infrastructure	Part of the direct line of communication (inline)	Outside direct line of communication (out-of-band)
System Type	Active (monitor & automatically defend) and/or passive	Passive (monitor & notify)
Detection Mechanisms	1. Statistical anomaly-based detection 2. Signature detection: - Exploit-facing signatures - Vulnerability-facing signatures	1. Signature detection: - Exploit-facing signatures

Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is primarily a preventive device designed not only to detect but also to block malicious actions.

Depending on their physical location in the infrastructure, and the scope of protection required, the IDS and IPS fall into two basic types: network-based and host-based. Both have the same function and the specific type deployed depends on strategic considerations.

WHY ARE IDS and IPS necessary?

The IDS and IPS devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.

These exploits can manifest themselves as ill-intended interactions with a targeted application or service. The goal is to interrupt and gain control of an application or a machine, thus enabling the attacker to disable the target causing a denial-of-service situation, or to gain access to rights and permissions available through the target.

EVENT TYPES

There are four types of IDS and IPS events: true positive, true negative, false positive, and false negative. The goal of implementing an IDS or IPS is to achieve only true positives and true negatives.

One should keep in mind that most implementations have false positives so monitoring engineers spend time investigating non-malicious events, and false negatives, which can lead to intrusions. Thus, a proper configuration of the system is of crucial importance as it must reflect the organization’s traffic patterns.

IDS are designed to provide readiness to prepare for and deal with cyber attacks. This is accomplished through information collected from a variety of systems and network sources, which is then analyzed for security problems. IDS are generally deployed with the purpose to monitor and analyze user and system activity, audit system configurations and vulnerabilities, assess the integrity of any critical system and data files, perform statistical analysis of activity patterns based on the matching to known attacks, detect abnormal activity and audit operating systems.

The IPS is generally deployed in-line and analyses network packet traffic as it flows through. Thus, it is similar in function to an IDS – both attempt to match packet data against a signature database or detect anomalies against what is pre-defined as “normal” traffic.

In addition to this IDS functionality, an IPS does more than log and alert – It is usually used to react to detected anomalies. This reaction ability of the detections is what makes IPS more desirable than IDS in general.

THE WHAT, WHERE AND WHO’S OF IDS and IPS DEPLOYMENT

These questions are to be answered taking into account the specifics of one’s environment. The most common locations for intrusion detection/protection sensor are between the network and extranet, in the Demilitarized Zone (DMZ), between the servers and the user community, on the remote access, intranet, and database environment, establishing network perimeter, and covering all possible points of entry should be possible.

Once placed, the sensors must be configured to report to the central management console, as dedicated administrators will manage the sensors, provide a new or updated signature, and review logs. In order to avoid data tampering, one must ensure the communication between the sensors and management console is secure.

The proper identification of mission-critical systems and points of entry requires the following roles in an organization to be involved in any IDS/IPS deployment:

Senior Management
Information Security Officers
Data owners
Network Administrators
Database Administrators
Operating System Administrators

If the key people representing these roles are not involved, the resources won’t be used efficiently and the resulting measure will be inadequate. It is strongly advisable to perform Vulnerability and Risk Assessment prior to implementing IDS or IPS.

Once the IDS is up and operational, logs must be reviewed, and traffic must be tailored to meet the specific needs of the company. Remember, traffic that may be perceived as abnormal by the IDS/IPS may be perfectly suitable for the environment. IDS/IPS must be properly maintained and configured.

WHY CHOOSE A VENDOR?

There are times when you may feel you lack the knowledgeable staff to deploy and administer the IDS/IPS. Here the vendors come in. Instead of spending a considerable amount of time and money trying to figure out the how’s and why’s, specialized teams can come to the aid, with the required expertise to get you started and train your personnel.

When choosing a vendor, look for a team that:

Eliminates false positives by systematic tuning of detection to meet the characteristics of the particular system;
Eliminates false negatives. Eliminating false positive alarms may result in incurring false negatives, and that must not happen;
Understands what constitutes a security-relevant event and develop proper reporting;
Installs and configures a complete solution;
Provides and devises methods to test IDS/IPS;
Determines the damage caused by a detected attack, limits further damage, and recovers from the attack;
Makes your systems scalable to the size required.

What are the main functions of IDS and IPS?

An IDS is designed to only provide an alert about a potential incident, which enables a security operations center (SOC) analyst to investigate the event and determine whether it requires further action. An IPS, on the other hand, takes action itself to block the attempted intrusion or otherwise remediate the incident.