Intruder Prevention or Intruder Detection System – What are they and which should I use?
Amethyst’s Andy Heathcote presents a Bluffer’s Guide
In designing or upgrading an IT system the question of using intruder prevention system (IPS) or intruder detection system (IDS) is often mentioned. However, it is often the case that they are not fully understood in either their security role or potential impact upon how the IT system will function when they are implemented.
This article provides a bluffer’s guide to how each of these work, with their core differences, and hence, different potential impacts on business processes.
Both can be network or host based (i.e. on the network infrastructure or installed directly onto the operating systems on the system servers and/or user access devices (UADs)). If they are network based, they are referred to as NIDS or NIPS and if host based, referred to as HIDS or HIPS. The fundamental difference between IDS and IPS is that the IDS detects malware/malicious activity and IPS prevents malware from operating or malicious activity taking place. IDS watches traffic and IPS controls traffic.
Looking at NIDS and NIPS; how do they work and what is the impact on the IT system operating?
NIDS operates in a passive mode, it does not interfere with network traffic but monitors the traffic. When it identifies an anomaly or detects malware, it notifies the NIDS management server which should be monitored by a Security Operating Cell, with automated alerts from the server to assist the administrators.
It will not stop an attack but will alert that one is taking place so incident management can take place. NIPS on the other hand is not passive and can be operated in two configurations; active response or in-line. In both cases a NIPS alters the flow of traffic, i.e. it prevents what it believes to be malicious traffic.
HIDS and HIPS operate in a similar manner to NIDS and NIPS – they detect or prevent but at the host (operating system server or UAD) level.
From a business perspective, IDS and IPS can have very different impacts. Well configured, they can provide very good layers of defence to a businesses’ IT systems by preventing malicious software (IPS) and detecting unauthorised activity (IDS).
They can also be used together as they complement each other. However, when poorly configured or managed, they can have very different impacts. A poorly configured IDS can either send a lot of false positives, thereby, tying up administrator time and maybe causing IT to be taken off line unnecessarily, or it can miss actual attacks, thereby, making the system vulnerable to attack if nothing is done. These both have impacts to business. However, a poorly configured IPS, in addition to the impact of not preventing a serious attack and the damage it can cause, can have a more immediate and potentially unknown affect by stopping legitimate traffic from getting through and so damaging business.
So what should be done? The threats and risks to the business need to be clearly identified and, if the threats merit it, consideration given to using both IDS and IPS to address those risks. Security has a cost and it needs to be proportionate and appropriate for the business; IDS and/or IPS may be the best defence but they also may not be; they are definitely not the whole answer.
The decision as to whether these are at the network or host level (or both) will be driven by where the protection is required and the cost of implementation and management. The most important aspect of both is the implementation: IDS and IPS need to be situated correctly and appropriately within the network or system and the rule sets configured well. As a general principle an IPS should have a smaller set of rules compared to IDSs so that the risk of blocking appropriate traffic (i.e. damaging business) is minimised. In other words, only the most trusted rules are used to minimise the risk to business processes. Greater reliance is then placed on IDS to detect and enable ‘fast’ reaction to attacks.
An offshoot of good IDS and IPS configuration is a solid back-up/business recovery plan; if the IDS alerts and the main system has to be taken off line to address the attack, then fast recovery is required (or fall back to a mirror or backed up system) to continue operational business.
IDS and IPS can be important elements of the layers of security; however, if not utilised or configured appropriately they can cause more damage to business than if they were not used at all. Their use needs to be considered carefully and the risks/threats they are to be used to address assessed fully to enable the appropriate configuration.
For further information on how Amethyst can help protect your business, email firstname.lastname@example.org