As mentioned earlier, intrusion detection is largely a process of setting up alarms to notify you in the event of an incident. Even intrusion prevention, with its ability to stop an incident, adheres to this same operating philosophy. In order to understand which IDS or IPS solution is the best solution for a given scenario, you have to understand the technologies used in most IDS/IPS solutions. The two predominant types of IDS/IPS are host based and network based. We will look at each of these technologies and examine the pros and cons to determine where each technology best fits into your network. Finally, we will look at the different components of an IDS/IPS to help you understand how to deploy an IDS/IPS in the most effective manner.
This section is more educational and less how to than sections in other chapters of this book because I have found that one of the biggest problems people encounter in dealing with IDS/IPS is a general confusion as to exactly what IDS/IPS is and how it works. Sure, people know that they want an IDS to detect unauthorized access, but they often don t understand what that really means. This confusion is compounded by the IDS/IPS vendors who have spent more time on marketing a concept than defining what that concept means and does. Making sure you understand these technologies will help you establish realistic expectations and thus increase the likelihood that the IDS/IPS you select will accomplish the goals and objectives you ve defined when you deploy it in your environment.
Host-based IDS/IPS (HIDS/HIPS) entails software to be run on the hosts you want to protect in the first place. The defining difference between host-based and network-based IDS/IPS is that host-based IDS/IPS monitors from the host s point of view, whereas network-based IDS/IPS monitors from the network s point of view. HIDS/HIPS software functions by monitoring not only the traffic that is entering and exiting the host, but also by monitoring the user and operating system activity to detect an incident. HIDS/HIPS is generally able to monitor to a much greater level of detail than a network-based IDS/IPS because it can focus exclusively on monitoring the host upon which it is installed. This allows HIDS/HIPS to detect attacks that might be overlooked by a network-based solution and also to analyze data that may have been encrypted over the network (and thus undetected by the network-based IDS/IPS) after it has been decrypted on the host.
The two broad categories of alarms are false positives (also known as false alarms) and true positives. False positives refer to situations where the IDS/IPS has failed to accurately report on what has occurred. False positives refer to alarms that are generated for normal traffic, and they are the biggest problem with IDS/IPS because they waste time and resources and can desensitize your network administrators to incident alarms. False negatives , on the other hand, are the worst-case scenario, because they represent real attacks that were missed by the IDS/IPS. True positives are the opposite of false positives, representing the IDS/IPS accurately reporting what is happening. True positives are what you want to tune your IDS/IPS to report. These represent attacks that the IDS/IPS recognized and reported properly. True negatives, although they sound bad, actually represent the IDS/IPS not generating an alarm when it is observing normal traffic.
The most time-consuming part of IDS/IPS deployment that I have encountered is the time it takes to tune the IDS/IPS to generate the appropriate alarm for a given situation. The objective is to generate 100-percent true positive alarms.
Although this may make HIDS/HIPS sound like a perfect solution, it does have some drawbacks. First, because the HIDS/HIPS resides on the host, if the host is compromised, the HIDS/HIPS can no longer be considered reliable. In addition, HIDS/HIPS requires that the software be installed on all the hosts to be monitored , which results in the use of processing and memory resources on those hosts. HIDS/HIPS is also generally ineffective at addressing denial of service attacks because it can only detect a DoS once the host is under attack.
A number of different HIDS/HIPS software is available to you, including the following:
Cisco Security Agent (http://www.cisco.com/en/US/customer/products/sw/secursw/ps5057/index.html)
Tripwire for Servers (http://www.tripwire.com/products/servers/)
ISS BlackICE (http://blackice.iss.net/product_server_protection.php)
Symantec Host IDS (http://enterprisesecurity. symantec .com/products/products.cfm?ProductID=48&EID=0)
Host-based intrusion detection and prevention products are beyond the scope of this book; however, you should employ them on any critical servers at a minimum and on all your systems if possible. Refer to Hardening Windows Systems by Roberta Bragg and Hardening Linux by John Terpstra for more information about server hardening and HIDS/HIPS.
Network-based IDS/IPS (NIDS/NIPS) includes devices that are deployed to monitor the traffic on a network segment and report on any suspicious traffic. Most NIDS/NIPS function in a fashion similar to a packet sniffer, using a network interface operating in promiscuous mode to sniff the packets traversing a network segment. One of the biggest benefits of a NIDS/NIPS is this ability to monitor an entire segment, allowing a single NIDS/NIPS that has been strategically placed in your network to provide a deep breadth of resource coverage. For example, an NIDS/NIPS that monitors your Internet uplink segment to the firewall allows you to see all traffic entering or exiting your network. Other benefits of NIDS/NIPS are stealth and the minimal impact on your network. Because NIDS/NIPS passively monitors traffic, the traffic is passed at wire speed as if the NIDS/NIPS were not even there.
However, NIDS/NIPS has some significant drawbacks. First, NIDS/NIPS is unable to monitor encrypted traffic, so attacks that are encapsulated in encrypted packets will be undetected by the NIDS/NIPS. Also, because the NIDS/NIPS must potentially monitor a huge amount of traffic, there can be latency in alarming and even missed incidents due to an inability of the NIDS/NIPS to process the amount of data it is observing. For example, the Cisco 4250 IDS sensor has a rated performance of 500 Mbps, assuming conditions of 5,000 TCP connections per second, 5,000 HTTP transactions per second, and an average packet size of 445 bytes. This does not mean that the NIDS/NIPS is not useful for monitoring links that are faster than that; it simply means that the NIDS/NIPS will be dropping packets, and you should be aware of this limitation.
In addition to the NIDS we will be covering in this chapter, the following systems are available to you:
Enterasys Dragon (http://www.enterasys.com/products/ids/)
There are two primary IDS/IPS detection technologies, anomaly detection and misuse detection.
Anomaly detection “based IDS/IPS use profiles that define the behavior characteristics for the group of users and thus establish the baseline that the traffic is compared against to identify a deviation. Anomaly detection essentially learns what the normal traffic is, and alerts if it sees an anomaly. These systems require a tremendous amount of configuration however to teach the system what is normal. While these systems are not as susceptible to zero-day exploits like a misuse detection is, I recommend that you employ them only where you think you are susceptible to zero-day exploits due to the complexities involved in the system.
Misuse detection is also known as signature-based or pattern matching, and it uses a database of known attack signatures to identify suspicious traffic. Misuse detection is the traditional method of IDS/IPS. Because the signatures are based on known activity, the attacks that are detected are well defined and easy to identify. This makes for a much simpler system than an anomaly-based system. I recommend signature-based IDS/IPS in most environments where the risk of being susceptible to a zero-day exploits is minimal.