Part 4 of 5: Network Intrusion Detection / Prevention Systems
What Is It?
Also known simply as IDS or IPS, Intrusion Detection Systems / Intrusion Prevention Systems monitor network traffic for anomalies based on signatures and heuristics that vary from vendor to vendor and from implementation to implementation. Basically, they look for something that shouldn’t be there to log, alert, or take an action based on the rules we configure. Host Intrusion Detection Systems (HIDS) and Host Intrusion Prevention Systems (HIPS) apply to the endpoints where NIDS / NIPS applies to network boundaries and segmentation points such as the gateways to the internet or other “untrusted” networks.
By monitoring the traffic for certain anomalies, an IDS/IPS can detect malicious or other undesired or unexpected data. When a “match” is found based on patterns, signatures, or other heuristics, the system can log it, send an alert to another system or to an administrator, or even take an action such as blocking, redirecting, or resetting the connection depending on what the organisation has defined.
In a perfect world, this will detect all the badness and only allow the goodness. At this point, take off the rose-coloured glasses and realise this isn’t a perfect world and while an IDS / IPS may seem like a good idea (it is) it’s rated this low on the ASD list for a reason, and that’s effectiveness. Mind you, a properly configured and managed IDS / IPS is still worth it, but we must consider many things in our defence-in-depth approach.
Where Do I Start?
Are you using an IDS / IPS presently? Quite often I hear “yes” to this question, but not much further. Most of the time it’s built-into a firewall (which is common) and turned on with the default rules which are based on the vendor’s own intelligence. In some cases, the IDS / IPS is not enabled because it’s an extra license or fee or bundled in with many features the client does not want.
After you answer yes or no, then, if “Yes”, I must ask how you’re managing the system if you are, in fact, using it. Do you review your policies and rules regularly? How often are the signatures and intelligence feeds updated? Do you have support for this feature? What do you do with the alerts? Do you review the logs? Is it taking any actions on the traffic or passively observing? If no, I’d like to understand the rationale why not (and I won’t judge….I need to know why and to be sure you know why as well).
Some interesting things always come to light. Often, the client feels it doesn’t deliver as promised. Sometimes it doesn’t block what it should and other times it blocks what it should not. That balance, sometimes called a “Crossover Error Rate” between false-positives and false-negatives can be hard to achieve. The common thread among most answers I see is that there is a lack of an in-depth understanding of the IDS / IPS system and a lack of ability to manage and maintain it the way it should be.
Many smaller organisations do not have a dedicated security resource and it falls to someone in the team, right or wrong. Larger organisations may have a dedicated security resource but they’re often incredibly busy to focus on any one system, let alone a time-consuming one like IDS / IPS. A former colleague of mine always said she’d love to spend more time working on the IDS / IPS if it wasn’t for the other 20 systems she also had to maintain.
Once you get a handle on your current IDS / IPS status (or lack thereof) it’s time to figure out what you can do better. For the record, I really try to avoid “Wrong or Right” in favour of “Good, Better, and Best” when it comes to a defence in depth approach. It may be time to call in the experts for a little guidance.
How do I make It Work?
If you’ve already bought and paid for an IDS / IPS solution, you may as well use it unless it’s that cumbersome and troublesome that the cost outweighs the benefit but take heart…. we’re here to help. I rarely see anything that works “out of the box”; it needs to be tuned to your environment. Your systems, your services, your processes, your traffic. Many systems such as IDS / IPS have a sort of “learning mode” such as promiscuous mode or something similar. Start here. Allow this mode to run for a period so it can learn your system and all its nuances. Never less than a fortnight, and I generally recommend a month to capture the once-in-a-while processes like month-end processing.
This exercise should allow enough time to capture data to define your rules, signatures, and heuristics, depending on the system chosen. Ideally, the more information you work with, the less likely you are to run into issues balancing the crossover error rate. I get immensely frustrated by organisations that rush the implementation of a system like IDS / IPS only to complain it’s not working the way it should. Every change after that skews it one way or another and it became a losing battle. Think of it this way: If you were building a seesaw for your kids, would you just bolt it together without trying to find the centre of the plank? Of course not. You would carefully measure to find the centre and then build the rest accordingly to achieve that balance.
Once you get it in place and balanced (mind you, it will need to be adjusted in time to allow for new threats, new signatures, and so on) then you need to figure out what to do with the information. Sure, you may be logging events, but are they being fed into a system, such as a SIEM, where they can be used for reports, planning, and dashboards? Are alerts being triaged and then sent to an administrator based on priority, so actions can be taken? Do you have policies and rules configured to reset or block connections when matches are made? Maybe you need to send the data off to a Managed Security Services provider for processing. In any case, the IDS / IPS can be incredibly valuable. It’s a lot like that crescent wrench n my toolbox that works best when it’s used right and adjusted correctly.
Don’t hesitate to put your hand up for help and if you don’t yet have IDS in place, that’s a great opportunity to leverage its capabilities and to do so right the first time. You can also shop around if you’re in the market for a replacement or upgrade for an existing solution and don’t forget IDS / IPS capabilities beyond the firewall. Many other network appliances can do this for you and do it incredibly well.
Pitfalls?
IDS / IPS systems are great but they do have some downsides. The first is overhead and that the more inspection you do to your traffic, the more it slows down and uses the capability of your appliances. Always check the spec sheets and size accordingly. The second is their ability to process encrypted traffic. This means even more overhead, even if it is offloaded to a dedicated appliance. Third, be aware that hackers are very skilled at finding ways around IDS / IPS and there are limitations in what can be done to counteract these avoidance tactics. A defence in depth approach is a must-have so not all the emphasis is placed on the IDS / IPS, but it still plays an important role. Always plan accordingly, design to purpose, and spec to size with allowance for growth and fluctuations.
Ghosts in The Machine?
Highly dynamic environments can be a nightmare for fine-tuning an IDS / IPS solution, especially where it’s looking for anything unusual…. When everything IS unusual. Signature-based systems tend to lag due to signatures being based on already-known threats, limiting their ability to handle zero-day threats. Heuristics must suit the organisation because a hospital may have vastly different traffic patterns than a bank. Fully understanding your traffic and applications as well as how they’re used (or misused) is imperative to achieve success.
Anything Missing?
Take into consideration what type of infrastructure you’re using. On premise, hosted, and cloud-based environments all have IDS / IPS options with their own pros and cons. Be sure to select the option that works best for your current, but more importantly, your future direction. I don’t like to see clients waste time and money implementing a system that’s only going to end up with limited effectiveness or to be replaced with another system that will require undertaking the whole process over again, sometimes even from scratch.
Please also be wary of the intelligence feeds your solution has access to. Many vendors use their own proprietary feed and while they’re quite good, there is no harm in drawing intelligence from other sources for IDS / IPS updates. What one misses, another may see. Keep your options open.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock