6.3.2 IDS

Differences between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)

IDS vs. IPS Overview

  • Passive IDS:

    • Monitors, logs, and detects security breaches.

    • Takes no action to prevent the attack.

    • Can send alerts, requiring interpretation and action by a security administrator.

    • Cannot be detected on the network due to lack of active response.

  • Active IDS (IPS):

    • Performs all functions of an IDS but can react to security breaches.

    • Automates responses to malicious traffic.

    • Can terminate sessions using the TCP-RST command or restart other processes.

    • Actions are visible to network observers and necessary to block detectable attacks.

Functional Comparison Table

  • Feature | IDS | IPS

    • Passive monitoring | Yes | No

    • Alerting capabilities | Yes | Yes

    • Automated response to threats | No | Yes

    • Visibility of actions on the network | No | Yes

Key Concepts of IDS and IPS

  • Knowing unauthorized access is the first step in network defense.

  • An IDS detects attacks and suspicious activity, whether active (IPS) or passive.

  • Utilization of both IDS and IPS together maximizes network detection and protection.

    • If an IPS fails to detect a malicious packet, the IDS serves as a backup to alert the security operations team.

IDS Operations

Monitoring Steps

  1. A sensor passes data from the source to the analyzer.

  2. The engine/analyzer analyzes data and events, generating alerts and logging activities.

Alert Definition

  • An alert is a message indicating an event of interest, such as a potential attack.

  • Traffic is labeled based on system interpretation of threat levels:

    • Positive Assessment: Malicious activities identified or an intruder's identity discovered.

    • False Positive: Harmless traffic wrongly identified as offensive, generating alerts.

    • Negative Assessment: Traffic deemed harmless is allowed to pass.

    • False Negative: Harmful traffic allowed to pass without alerts, representing the worst scenario.

Detection Methods

1. Signature-based Detection

  • Also known as pattern matching, dictionary recognition, or misuse-detection (MD-IDS).

  • Looks for patterns in network traffic that match known attack patterns (signatures).

    • Signatures are unique identifiers for known malicious packets and are continuously updated by IDS vendors.

    • Cannot detect unknown attacks; thus, regular updates of signature files are crucial.

    • Commercial software requires a paid subscription for updates and must be configured to update from secure repositories (ideally over HTTPS).

    • Typically causes more false negatives compared to heuristic detection.

2. Heuristic-based Detection

  • Also referred to as behavior, anomaly, or statistical-based detection.

  • Establishes a baseline of normal network traffic to identify deviations.

    • Clipping levels (thresholds) define acceptable variances from the baseline

    • Can identify some unknown attacks that lack corresponding signature files.

    • Usually results in more false positives relative to signature-based detection.

Device Implementation

Implementation Methods

1. Host-based (HIDS)

  • Installed on the host system to monitor all incoming traffic.

    • Detects unique attacks targeted to specific services and applications.

    • Monitors application activity, modifications, local files, and logon audits.

    • Limited to the host system's view; possible target for attacks.

    • Can analyze encrypted traffic, as services running on the host decrypt the data.

    • Common example: Antivirus software.

    • Issues: Requires installation on each system monitored, potentially leading to excessive administrative efforts.

    • If compromised, the reliability of log reports drops, as attackers may modify logs.

2. Network-based (NIDS)

  • A dedicated device set up in the network to analyze traffic in real-time.

    • Can be installed as:

    • Out of Band: Monitors traffic without interfering (connected via a network tap).

    • Inline: Traffic passes through the NIDS for analysis before continuation.

    • Characteristics:

    • Unaware of individual hosts and undetectable by attacking systems.

    • Effective for detecting and preventing port scanning and Denial of Service (DoS) attacks.

    • Cannot analyze encrypted traffic.

    • Should be placed at critical network junctions (such as inside screened subnets, between firewalls and LANs, and near valuable information assets).

    • For switches, must connect via a spanning or diagnostic port to observe all traffic on that segment.

Trend Analysis

  • Essential for managing IDS and IPS, directing attention to patterns and potential threats over time.

    • Helps analysts identify trends suggesting targeted attacks or exploited vulnerabilities.

    • Analyzing trend data allows tuning of IDS/IPS systems to reduce false positives and unnecessary alerts.

    • Contributes to operational security strategies by revealing frequently targeted systems and common threats.

    • These insights can inform necessary changes in security policy, tool investments, and training requirements.