Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
4/23/2018
09:00 AM
Diana Shtil
Diana Shtil
Partner Perspectives
Connect Directly
LinkedIn
RSS
0%
100%

IDS & IPS: Two Essential Security Measures

To protect business networks, one line of security isn't enough.

What is the best threat management system for a business network? It's a difficult question to answer because threat management isn't about finding a single solution to every problem; it's about layering multiple solutions in a way that offers the best protection against a variety of threats.

When it comes to protecting business networks, a single line of security simply is not enough. Layered security takes advantage of multiple security tools, each designed to defend against a specific kind of attack. Layered security works similarly to having multiple walls or fences surrounding a building rather than relying on a single gate to deter intrusion. If an attack breaches the perimeter defense, then there are still secondary, tertiary, and other defenses in place.

Intrusion-detection systems (IDS) and intrusion-prevention systems (IPS) are two such defenses. Both rely on similar technologies, but each fills a different function, maintains different placement in the network, and defends against different kinds of attacks. To understand this relationship, let's review the specifics of IDS and IPS systems.

What Is an IPS?
To keep the metaphor of the network as a building, an IPS is like a security guard. It's an active, in-network presence designed to prevent incoming attacks and stop attacks in progress. The security guard doesn't do much to keep intruders out, but if they find their way inside, the security guard has the power to stop them from doing further damage.

The IPS sits behind the firewall, directly in the communication path of any data attempting access, also known as "inline." As an inline intrusion-detection tool, an effective IPS checks all incoming traffic against known security threats. It does this through a variety of mechanisms, but the two most widely used methods are statistical anomaly-based detection and signature-based detection.

Statistical anomaly-based detection allows prevention systems to take a sample of current network traffic, and then compare it against a predetermined "normal" baseline. To do this, the IPS must be able to establish a behavior profile for the network from which to develop a set of standard operating parameters. When incoming traffic deviates from these parameters, the system takes this as evidence of a possible attack and responds accordingly.

Alternatively, signature-based detection identifies malicious traffic by its unique code. To do this, IPS tools keep and maintain an ever-growing database of code exploits. As known exploits breach the outer defenses, the IPS recognizes them from its database and moves to eliminate them. When the IPS encounters new exploits, it records them for future identification.

Unfortunately, both of these methodologies face the danger of false positives. Signature-based detection that incorporates vulnerability-facing signatures allows for better protection even against unknown exploits, but at an increased risk of misidentifying benign traffic as malicious. Likewise, anomaly-based detection only looks for variations in traffic, leaving little room for legitimate variations. In either case, the end result is a loss of potentially beneficial traffic.

Of course, the IPS is just one layer, and preventing threats is just one part of the equation. Detecting threats falls to the responsibility of IDS tools.

What Is an IDS?
An IDS could be thought of as a building's security system. It's a passive security measure. A security alarm can alert security personnel to a threat, but it cannot take direct action against the threat. Likewise, an IDS is limited to identifying possible cyberattacks rather than preventing them.

To detect these threats, the IDS doesn't need to have an in-network presence, meaning it does not sit in the path of incoming data. Instead, IDS tools reside outside the network in an out-of-band, independent data channel. As such, these systems don't need real-time access to data; instead, they review copies of incoming data using an external monitoring device called a network test access point, or tap.

Through the tap, the IDS can examine mirrored data packets from many different points within the network. Data copies are compared to a library of known threats. The goal is to correctly identify malicious traffic before it can proceed further into the network.

An IDS gives security engineers the power to look deep into the network without impeding the flow of network traffic. Properly used, IDS tools can help guard against a variety of threats, including policy violations, information leaks, configuration errors, and unauthorized clients, servers, and applications. This is in addition to protecting against viruses and Trojan-horse attacks.

However, there are some drawbacks to using an IDS. Because the IDS uses data copies, never coming into contact with the original network data, it is incapable of taking direct action against threats. Instead, as the IDS identifies malicious traffic, it logs the incident and sends an alert to the network administrator. It then becomes the administrator's responsibility to take action against the threat.

If attackers are fast enough, or if administrators don't have the requisite experience handling the threat in question, the IDS can do very little to prevent damage to the network.

IDS vs. IPS
With IDS and IPS explained as two different layers of network security — rather than as complete security solutions — it hardly makes sense to try to determine which is the better option. In reality, the most effective solutions are those that incorporate multiple layers into a single, comprehensive security resolution. This approach is known as unified threat management (UTM).

UTM is closely associated with IDS but integrates multiple security features. UTM systems expand upon the more traditional firewall approaches to network safety. By incorporating both intrusion prevention and intrusion detection, along with other security functions, into a single, unified appliance, UTM tools allow for improved security flexibility at reduced costs.

Rather than having to purchase and maintain multiple boxes at different points throughout the network, organizations can deploy a UTM solution to handle their entire network security. Effective UTM devices operate inline, and are capable of filtering, analyzing, and reporting, along with load balancing and intrusion prevention. UTM solutions are designed with simplicity in mind and sometimes aren't complex enough to handle certain complicated threats. At the same time, if the device fails or requires any sort of extensive maintenance, then the link will need to be disconnected, resulting in potentially damaging network downtime.

IDS, IPS, and even UTM solutions all have their drawbacks, but with the right tools, those drawbacks can be overlooked. As modern threat management systems adapt to combat the dangers of malicious data in motion across networks, it's becoming clear that current solutions are simply not enough.

What is the best threat management system for a business network? One that incorporates IDS and IPS solutions and that has been optimized for deep visibility and superior protection.

Find out the latest on intrusion prevention from Gigamon.

Diana Shtil is a seasoned marketing professional with a track record for developing go-to-market strategy, executing product launches and generating content that drives awareness and purchase consideration. Prior to joining Gigamon, Diana has worked within the wireless ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...