IDS/IPS - Do I need it?

by Scott Ecker

Intrusion Detection System (IDS) and its active counterpart, Intrusion Prevention System (IPS), are technologies that do exactly what their name implies - they detect and block unwanted traffic on your network. They're sometimes called by different names, but they're all the same thing under the hood. Their name implies that they stop threats from getting in from the outside, but they also monitor and stop malicious activity getting out from inside your network.  Most networks don't have these services by default and for good reason - they're computationally expensive for most network hardware and require significant oversight to be useful.

IDS - the detection portion of the IDS/IPS duality - works by scanning every packet as it traverses a network port. That means it has to examine all the bits that make up the billions of packets that stream across your network all day and figure out how they all relate and whether they contain malicious payloads.  Such payloads are identified by comparing the bits scanned against a collection of existing software and behavioral signatures, comparing traffic to established baseline expectations, or examining traffic for protocol violations.  The signatures are available from public sources on regular intervals similar to anti-virus software updates.  Baseline traffic is established during the introduction period of the IDS. Protocol violations are classified by deviations from the strict definitions of how network transmission is expected to behave.

A simple example of how an IDS works is when you type in "https://google.com" in your web browser and press the enter key, your computer first sends a DNS lookup request to your name server.  I'll spare you the raw data and describe it like a conversation:

Browser: Hey, DNS, do you know the way to google.com?
DNS: Sure, it's home address is 172.217.14.238.
Browser: Thanks!

while that conversation was happening, this is what happened in the background...

IDS: Hmmm... Browser sent some packets to DNS, seems that Browser is asking for the address of google.com... looks legit, no need to notify anyone.

The IDS examined the packets and determined they were safe based on a number of metrics:
1. The destination address has a good reputation.
2. The type of request is common.
3. The packets were the right size and not malformed.
4. The transaction between Browser and DNS was marked complete.

Now, what if you are looking around the internet, searching for a good deal, following links, and you click on a rotten link that takes you to a website with malware?  The conversation might be a little different to IDS:

Browser: Hey, DNS, https://sketchywebsite.net/ has a great deal on life rafts! Do you know the way?
DNS: Sure, the address is 172.67.206.28. Have fun!
Browser: What is this?! I'm ded.

IDS: wow, these packets are total garbage! I better make a note that this website is BAD!

...and that's all IDS will do for you. It'll add a log entry that you're exchanging network traffic with a malicious website.  To stop that kind of behavior at the firewall you need an...

Intrusion Prevention System

The IPS is the active part of the IDS/IPS duality.  It must exist in-line with your network traffic in order to block identified traffic from entering or leaving your network.  It works in concert with the firewall to activate rules on the fly when the IDS identifies malicious or improper traffic.

In the above example, an active IPS would recognize the IP address contained in the first network packet as being from a host with a bad reputation. Next, it would tell the firewall to block that traffic from coming in (or going out) until a human can be contacted.

Browser: Hey, sketchywebsite, can you send me some info about life rafts?
SW: Hehehe, here's some pa...
IPS: Not so fast, sketchywebsite! Blocked! "Hey human, I need to let you know that Browser is visiting sketchywebsite!"

And like that, the Browser is safe and IT is notified.

Do you need IDS/IPS?

Now, imagine that all the people in your office are going about their job all day and generating 100 Terabytes of traffic across your network.  If only 0.01% of that traffic violates any of the three metrics being tracked by the IDS then that's billions of packets representing thousands of potentially malicious attempts at intruding into your network.

To keep that torrent of information manageable, the IPS needs to be trained and curated to only react to traffic that's truly malicious.  Thankfully, there's a library of information available to help alleviate that burden a little.  The rest is up to your IT team to tease out the false positives and identify the sketchy traffic before it gets a foothold in your network.

In some sectors, there are compliance guidelines that require it - PCI, HIPAA, SOX are most common.  If your data includes finance, money, personal information, or health records then you are likely required to follow one of those compliance protocols. Nonetheless, if you care about the security of your data, you need IDS/IPS.