What is IPS/IDS and where it is used
IDS / IPS (Intrusion Detection and Prevention System) are software or hardware intrusion detection and prevention systems that provide network and computer security. An IDS is a passive detection system that analyzes all traffic in real-time and reports possible threats if necessary. It does not modify network data packets in any way and does not affect the network infrastructure, while IPS is able to prevent the delivery of packages in the same way as a firewall does.
As an intrusion prevention system, IPS also aims to analyze traffic constantly, but it has more power – if necessary, it can reject packages if system analysis detects a threat. And it uses an up-to-date signature database to detect threats, so regular updates are recommended to ensure that the system performs its functions properly.
IDS technology and architecture
IDS is only able to detect a threat and notify the administrator of this event, and further action is up to him. The detection system can work:
- At the network level. This would be the Network Intrusion Detection System (NIDS).
- At the individual host level. In this case, we are dealing with a Host-based Intrusion Detection System (HIDS).
Let's take a closer look at each of them.
NIDS Technology
NIDS provides the ability to install the system at strategic network nodes to analyze inbound and outbound traffic for all devices. NIDS is extremely efficient because it analyzes literally every data package, from the data link layer to the application layer. Unlike standard firewalls and firewalls, NIDS can detect insider threats.
The disadvantage of the technology is "voraciousness" - the system analyzes all traffic at all, but it requires a lot of CPU and RAM processing power. For this reason, the use of NIDS at the corporate network infrastructure level can lead to tangible delays in data exchange.
HIDS host system
Host-based systems, unlike network-based systems, are installed "point-by-point" on each individual host within a network, allowing selective protection for nodes vulnerable to attack. HIDS can also analyze inbound and outbound traffic but does so more locally for a single device.
HIDS is recommended for deployment on the network's mission-critical machines to prevent threats. This technology consumes significantly fewer resources when working, but it requires experience and a deep understanding of the specifics of particular network infrastructure to properly select target hosts for HIDS.
What IDSs are based on the principle of operation
Generally speaking, the fundamental principle of all such systems is that threats are identified through analysis of incoming and outgoing traffic. However, the analysis process itself may differ. There are three types of IDS according to the analysis mechanism:
- Signature IDS. An intrusion detection system that closely resembles a familiar anti-virus – it also analyzes traffic and matches received packets to a signature database. To ensure the effectiveness of this system, the signature database must be regularly updated. The key drawback is considered to be that if the database is temporarily unavailable for any reason, such an IDS cannot provide threat detection.
- IDSs based on anomalies. In this case, machine learning technology is used – the system will analyze the network performance and compare it to a similar period in the past. Anomalies can be statistical, protocol, or traffic level – all of which the threat detection system is capable of detecting and suppressing, provided sufficient time and attention has been given to machine learning in the past.
- IDS on rules. An administrator can manually prescribe sophisticated IDS rules that will detect threats based on indirect or direct indications. Setting up such a system requires considerably more time and expertise, but in practice allows for an extremely high level of protection.
Unified Threat Management (UTM)
UTM is a universal package of utilities that contains several small protection modules, from email filters and proxy servers to VPN and IDS. In essence, it is a package that guarantees multi-level threat tracking and elimination.
NGFW и DPI
This is already a next-generation firewall, which has been rapidly gaining popularity in recent years. NGFW is a network security platform that includes, apart from the firewall itself, a traditional firewall with additional filtering capabilities.
As for DPI, it is a deep packet analysis technology that allows you to intercept packets containing threats.
Where to install protection?
When deploying on an IPS or IDS server, the question arises as to which nodes make the most sense. The answer to this question depends on what type of system you have. If it is PIDS, there is no sense to install it before the firewall because its functions are duplicated. NGFW, on the other hand, is universal and can be installed at any level.
It makes sense to place the intrusion detection system on a shared hosting site in front of the firewall on the internal side of the network – in this case, the software will analyze only the traffic allowed by the firewall. Accordingly, it will reduce the load on the system and increase the performance of the network infrastructure.
A common scenario is to deploy IDS at the outer edge of the network protection, after the firewall. In this case, the system will cut off all unnecessary noise coming from external networks. And, in addition, it will provide protection against mapping. In this infrastructure design, the system will monitor network layers 4 to 7, which will therefore be the other signature type, minimizing the probability of false positives.