Surveillance or dead lock?
Laura Taylor
Published: 20 Aug 2002 20:19 BST
IPSs are like deadbolts. They simply stop the attack. They do not analyse it and then effect a response -- which could, in fact, be the wrong response, as we have seen with false positives generated by IDSs. Where IDSs generally monitor network segments, IPSs are typically host-based products that get installed on the actual servers and desktops they are slated to protect.
Leading vendors in the intrusion prevention market include OKENA, SecureWave, and Entercept. These products typically work at the application level by analysing a proposed user action before it accesses and/or modifies any mission-critical files. The requested behavior of the application must match the desired behavior that has been previously defined by a standard set of rules. If the proposed action is unusual, the rules that govern the application's behavior will prevent the action from executing. Some IPSs compare a checksum of the executable with a known good checksum list. If the proposed execution is legitimate, the application is allowed to execute. If there is a mismatch in the checksum hash, the application is not allowed to execute. Unlike IDSs, with IPSs, the logic is applied before the application is executed in memory. Other IPSs work by intercepting systems calls.
An IDS still has its place
Although IDSs have their problems, they can still offer value to an organisation or law enforcement agency under the right circumstances. For example, if your network is under attack and there has been a large loss of valuable assets such as credit card numbers or if money has illegally been transferred to the wrong accounts, using an IDS is a smart way to try to catch the perpetrator. Of course, if you install an IDS after a malicious cybercrime has been committed, you may miss picking up the necessary network traffic information you need to solve the crime. However, if the attack is still taking place, installing an IDS may help you quickly solve the mystery surrounding the attack.
Because IDSs need to collect a large array of traffic to understand anomalous patterns, they typically require a lot of massaging by a security engineer or network administrator to tune them, interpret the information, and identify false positives. In fact, monitoring IDSs can be a full-time job. We have seen instances where a hacker has actually exploited an IDS, causing it to create a denial of service attack against the organisation it's in place to protect.
Bottom line
So what can we take away from all of this? There is still a need for IDSs, but IT decision makers should understand how to use these types of systems in a smarter way. A lot of thought and planning must go in to whether an organisation truly needs an IDS, an IPS, or both. It's important to figure out your IT goals before making procurement decisions.
If you work for a financial institution, you should probably deploy both an IDS and an IPS. If your systems contain medical records that include detailed patient information that doctors use to make treatment decisions, you should probably deploy an IDS and an IPS. I am making these recommendations based on the assumption that the loss of large amounts of money or the loss of life have high-risk implications that require the utmost safeguards.
However, if losing your data would, at worst, create a big inconvenience while your operations team secured the perimeter and the hosts and restored the data, it might be more worthwhile for your organisation to install only an IPS. Certainly, if there are no staff resources dedicated to tuning an IDS or providing the ongoing expert analysis required to get the value out of it, there is no point in installing one.
In implementing either an intrusion detection or intrusion prevention system, the risks being analysed or prevented should always align with business risks -- an important point that many IT decision makers fail to address.
The following are some of the important points to remember:
- IDSs are installed on network segments.
- IPSs are installed on servers and desktops.
- IDSs require expert tuning to be truly useful.
- IDSs require more administrative overhead.
- IDSs can't parse encrypted traffic.
- IDSs and IPSs should both have a central management console.
- IDSs have more potential for identifying hackers.
- IPSs can better protect applications.
- Intrusion prevention products are ideal for blocking Web defacement.
- Neither an IDS nor an IPS is a replacement for firewalls.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
Previous
Did you find this article useful?
98 out of 209 people found this useful
- Share this article:
