IPS and IDS – What are they and what role do they play in security?
An organization typically protects their information system using a firewall that leverages access control lists (allow source IP and in protocol to destination IP and protocol). However, an above average attacker can overcome these parameter defenses by compromising other less secured systems to gain access to the main target. What that would look like is targeting a contractor’s laptop that uses its system to gain access to (for example) Targets accounting website. Once the threat actor compromises the contractor’s laptop, the attacker will leverage the compromised system to gain access to Target’s accounting website therefore bypassing Target’s parameter defenses. The question now remains, how do organizations protect against threat actors bypassing firewall rules? Intrusion prevention systems and detection systems come into play by stopping attacks as well as alerting administrators/incident responders.
What is an Intrusion Detection System (IDS)?
An Intrusion Detection System (IDS) are used to notify you of potential malicious activity, they can be noisy (if not turned). DNS Stuff stats “ Once any potential threat has been identified, intrusion detection software sends notifications to alert you to them. The latest IDS software will proactively analyze and identify patterns indicative of a range of cyberattack types.” An IDS is extremely appealing to organizations who don’t want to “break” connections but want to be aware of all data being processed.
There are two types of IDS systems, Host Intrusion Detection Systems (HIDS) or Network Intrusion Detection Systems (NIDS). NIDS observes network-based traffic, Clear Network, Ron stats “A network-based solution performs monitoring of traffic on the network as a whole. These typically include a packet sniffer to collect packets from a network tap or by sniffing wireless traffic. “. A Host Intrusion Detection System (HIDS) is a software sitting on the host machine inspecting traffic and matching malicious behavior to what is occurring on the system it is installed on. RedScan stats “HIDS track changes made to registry settings and critical system configuration, log and content files, alerting to any unauthorized or anomalous activity.”
IDS Options -
OSSEC (HIDS) – Option 1
OSSEC is a free, open-sourced HIDS. It uses a server client model; the client is the agent installed on the endpoint system to gather logs; those logs are sent to the OSSEC server. The OSSEC Server is typically a VM sitting on your local or remote network. The agent just needs to have the server reachable. Remote logging is possible if you have established a VPN or port forwarding configuration (recommend VPN).
OSSEC will notify your administrators of registry changes, suspicious files copied/created in critical directories as well as abnormal file changes. OSSEC runs rootkit checks by default, as well as checking for unusual ports opened.
Security Onion (NIDS and HIDS)– Option 2
Security Onion offers both NIDS and HIDS. Like OSSEC, Security Onion is also a free and open-sourced platform. Security Onion is used for Threat Hunting, enterprise security monitoring, and log management. There are many tools that you are able to leverage with Security Onion such as CyberChef, Elasticsearch, Kibana, Wazuh, and many more.
Security Onion is a tad more robust than OSSEC, the architecture depends on your use case. In a standalone enviroment (for Proof of Concepts) Security Onion uses Wazuh, osquery or any other platform to send files to Filebeat which then sends to Logstash then to Redis for queuing. Logstash then pulls logs out of Redis and sends them to Elasticsearch for indexing. The administrator will then prune the logs for analysis.
What is an Intrusion Prevention System (IPS)?
Intrusion Prevention Systems (IPS) are additional preventatives that stop attacks that bypass parameter measures such as access control lists, in IP based networks. IPS systems extend Intrusion Detection Systems (IDS) by gathering behavior and known exploit tactics as well as techniques to actively prevent an attack while it is happening. IPS attempts to prevent attacks such as Denial of Service (DoS), Distributed Denial of Service (DDoS), worms and viruses.
IPS Options-
Firewall – IPS Option 1
Many next generation firewalls allow for full packet inspection that enables you as a security professional to enable IPS. As we mentioned, IPS analyzes every packet and remediates as the data is processed. The process of IPS data inspection is extensive, this translates to a firewall needing more CPU and RAM (more expensive). For simplicity (if the organization can afford it) will decide to implement IPS within their firewall.
Snort – IPS Option 2
Snort started as a IDS in 1999 and has grown into an IPS in 2004. Teams can implement Snort sitting behind a company firewall. Many organizations can decide to either combine IPS technology within their Firewall or have the IPS security service be done on a separate instance (VM or physical system). Snort is owned by Talo Cisco, as their continuous adoption of open-source technology. Cisco leveraging Snort via Cisco Secure stats “ The new Snort uses a flow-based detection engine. This new engine makes it much easier to normalize network traffic flows without overcoming Snort 2's packet-based limitations. Snort 3 preprocessors, now called inspectors, still serve a similar function, normalizing traffic for the rule’s engine.” The improvements of Snort allow customers to implement IPS without the need of upgrading hardware to handle all the performance issues that come with deep packet inspection. Cisco leverages Snort within their own firewalls, you are able to install a Snort install as a standalone system to take advantage of it’s functionality.
Implementation-
IDS
The implementation of an IDS server should sit behind your Firewall, ensuring your IDS server is not vulnerable to attack (IDS will have all your endpoint logs). Protection is critical for the IDS server because a threat actor can hack into this system and modifying all files (if you allow them to).
IPS
Most organizations bundle IPS systems within their firewall, so if you have a router and then a firewall, you will configure IPS on any inbound and outbound traffic. I have also implemented IPS between VLANs (when I allow certain traffic to pass) to prevent attacks leveraging VLAN hopping.
When implementing IPS systems, ensure you keep an eye on your memory usage, don’t overload your firewall it will crash. In business, most organizations will bundle firewall and IPS technology, ensure you speak to your reseller/engineer to properly scope out your firewall size.
Why Should CEO’s care about IDS and IPS systems?
From a Security professionals’ perspective, it’s obvious why we need an IPS/IDS system implemented to protect our users and customers data, however, from a CEO’s perspective it may not be as obvious. Here’s a few ways to approach your executive staff for budget to fund the software, hardware, and implementation costs of an IPS/IDS.
Questions to ask -
How important is it to keep our business running during an attack?
Asking this question poses the question that we can avoid a complete business outage during a cyberattack if we leverage IPS and IDS systems. IPS will prevent known attacks and an IDS will triangulate the attack to pinpoint where it was sourced.
If our systems are compromised, how quickly would you like us to respond?
Every executive and anyone in management will know they will want to respond quickly to resolve the issue of a cyberattack. Illustrate how quickly you can react to an attack leveraging IPS (since it blocks known attacks) and an IDS (which points out the source).
Summary -
Intrusion Detection and Prevention systems are tools needed for cybersecurity professionals to do their job. In the world of such an aggressive cyber landscape, it is imperative that every organization implement these technologies to protect their systems. With Intrusion Detection Systems, you get critical information from hosts and network traffic that you will not get from any other tool. With Intrusion Prevention Systems you are proactive in stopping attacks in real time, even when your cybersecurity team is asleep. To ensure you get funding for the cybersecurity technology you need, present them in a language that your executive management team understands. Leverage business continuity and reaction time when a cyberattack occurs. Present IPS and IDS as a business necessity to ensure the business continuity in face of a cyberattack, a strong cybersecurity posture makes every organization money.
References -
Charles P. Pfleeger, Shari Lawrence Pfleeger, Jonathan Margulies, (2015), Security in Computing Accessed: June, 2022
Cisco Secure , 2022, Snort 3 Adoption Accessed: June 15th 2022 https://secure.cisco.com/secure-firewall/docs/snort-3-adoption
Cyber EDU, 2022, What is an Intrusion Prevention System (IPS)? Accessed: June 15th 2022
Staff Contributor Feb 18th, 2020 7 Best Intrusion Detection Software and Latest IDS Systems Accessed: June 15th 2022 https://www.dnsstuff.com/network-intrusion-detection-software
Ron Samson Jr, 2021, Top 10 Intrusion Detection and Prevention Systems Accessed: June 15th 2022 https://www.clearnetwork.com/top-intrusion-detection-and-prevention-systems/
Security Onion, 2022, Documentation Accessed June 15th 2022 https://docs.securityonion.net/en/2.3/introduction.html
RedScan, 2022, HIDS – Host-Based Intrusion Detection Accessed June 16th, 2022 https://www.redscan.com/services/hids/