In modern cybersecurity, there are two major types of devices for protecting the edge: intrusion detection systems (IDS) and intrusion prevention systems (IPS).
An IPS sits in-line, in a network, and touches on each packet to and from the Internet. It provides protection by inspecting packets and forwarding or dropping the packets based on pre-configured, static rules (i.e. signature matching). An IDS, on the other hand, will not be able to touch any packets, it only sniffs the packet for detection, based on signatures as well, and then generates an alert for the administrator to investigate.
Given this difference in defensive capability, an IPS sounds like a better tool than an IDS. If that is the actual case, then why isn’t it deployed as widely, or more widely, than an IDS?
Time and Latency Restraints
There are a couple of reasons. Not counting the high price tag on an IPS, there are a number of technical limitations to consider. First of all, an IPS must be very careful with its ‘time budget’ and should not hold a packet for too long during inspection and matching, otherwise it risks getting in the way of smooth communication due to the delay or latency it will introduce. Users do not like in-line systems to clog or slow their network. This is a fundamental requirement of in-line systems. This becomes a critical constraint for an IPS, which needs to do things as fast as possible, especially when it needs to match ever-growing lists of signatures. This constraint effectively reduces the bandwidth it can handle.
An IDS does not have this constraint; it merely sniffs on packets, which does not introduce any delays or interruption in the communication. In fact, an IDS can process a packet seconds later, and does not impact the performance or latency of the network. Also, bandwidth issues are less of a problem for IDS's since multiple devices can share the load. On top of this design advantage, there are multiple open source IDS's available in the market making it a relatively safe (and conservative) approach to perimeter and edge defense for many enterprises.
Protection by Packet Injection
We all know protection is the ultimate goal, so it may be a curious question but; can an IDS provide any meaningful protection? The answer is a qualified yes. Even though IDS's are not built for protection, there is a useful trick that an IDS can do: we can connect an IDS to a network tap sitting inline and inject a packet to disrupt the targeted session.
In the case of TCP sessions, an IDS can send a kill packet (TCP RST) to terminate a given session. This trick was employed as early as 2003 by Snort, the pioneer of open source IDSs.
The harder part of protecting all types of network session is in the case of a UDP session. UDP sessions are connection less and do not have an establishment and termination phase. But, it is possible to disrupt a UDP session by injecting packets nevertheless. In addition to injecting UDP packets, one can also inject ICMP port-unreachable packets. This will fool a UDP application into thinking that the UDP packet it sent was bounced by the OS due to no application listening on the destination port.
To find the effectiveness of this method, one just needs to run a simple test with the famous command “netcat”.
$ netcat 10.0.0.1 8888 -u
The above command will open a UDP connection to the server (10.0.0.1) with destination port 8888. When the user types “hi”, the netcat will send this message in the form of a UDP packet. Since there is no server running on host 10.0.0.1 (or listening on the UDP port 8888), the host 10.0.0.1 will send an ICMP ‘port unreachable’ message (see the following snapshot from a packet sniffer). Netcat will then close the socket and exit after seeing this ICMP packet.
Protection by packet injection is very effective in disrupting malware communication using TCP. This technique can be very helpful against malware that communicates using UDP as well.
IDS and IPS - Together, Not Either/Or
Killing packets aside, IDS is a good choice to complement an IPS solution because it moves in the direction of modern cyber security where cyber criminals are getting smarter and smarter: the bigger part of the cyber defense time and budget will be spent on the detection of the threat. This is understandable because malware frequently uses many of the latest encryption and obfuscation techniques thus rendering signature based protection much less effective. IDS, because it is not inline, can afford to be more flexible in detection:
- Using a network tap with multiple output ports, like those from our good partner, Garland Technology, organizations can deploy multiple IDS's can running side-by-side, processing the same traffic, achieving a much better detection ratio, by complementing each other.
- Behavior-based detection tools, such as CapStar RealTime Agent (CapStarRT), can be employed to quickly, leveraging a TAP to implement the observations and techniques conceived by network and security professionals. Many aspects and behaviors of network traffic, such as the count, the order and the consistency of various protocol fields, for example, can be used in detecting traffic that has subtle but damning differences from those seen from legitimate software. In the end, it is much easier and faster to detect malware traffic (hence malware) than to it is to keep up with malware authors who are constantly coming up with new techniques to evade current systems of protection.
Few would disagree that the cybersecurity landscape is getting more and more complex. As a result, IT pros need to be aware of, and honest with themselves, with respect to the limitations of existing solutions, and in so doing, become willing to accept new solutions and techniques that offer better protection. If you have an IPS, do not be complacent thinking you are fully protected. Instead, it would a good idea to keep an eye out for ways to improve the effectiveness of IDS-based solutions as well.
Learn more about joint solutions from CapStar and Garland Technology.