IPS and IDS: Role and Function
Like many things in the rapidly changing world of IT security, the roles of these systems are not as distinct as they once were. Both types of security monitoring solutions look for intrusions and violations of network policy, in order to protect an organization from being compromised. Traditionally, however, they were designed to be deployed in different parts of the network and focus on different goals.
The Intrusion Prevention System (IPS) was designed to be deployed inline on the network, close to the perimeter, and complement the work of the network firewall. While the firewall works to positively identify traffic that is allowed to move on towards the internal network, the IPS looks for dangerous incoming packets or traffic that violate specific rules or network policies. Once suspicious traffic is identified, the IPS takes action by automatically blocking the traffic, logging the attack, and adding the source IP address to the block list for a period of time. IPS systems can also identify port scans that hackers use to find a vulnerability in a particular network.
As an inline device, the IPS must perform its inspection work quickly to avoid degrading network performance and to stop potential attacks in real-time. The IPS must also detect and respond accurately, to eliminate false positives or alerts that must be followed up by security staff.
The Intrusion Detection System (IDS) is the older of the two systems and is used offline, or out-of-band, to identify and log violations and send an alert to an administrator, or report the violation to a central repository called a ‘security information and event management (SIEM) system.’ A SIEM system can centrally combine alerts from multiple tools or sources to better distinguish malicious activity from false alarms. The traffic that is sent to an IDS is a copy of live traffic, generated by a SPAN port or network tap, and is not routed back into the trusted network. This is sometimes referred to as passive monitoring, since no automatic action is taken. Because it does not operate on live traffic and have the constraint of having to perform at line speed, an IDS can be used to perform more complex analyses and investigations.
While the focus of the firewall and IPS are on packets or traffic incoming to the organization, some IDS devices also designed to look for attacks that originate within the internal network. For this reason, an IDS can be deployed at any strategic point in the network.
Some IDS systems can be configured to take a pre-defined proactive action in response to a threat. One example would be to modify the rules of a firewall to block unwanted traffic from a particular IP address. This is known as a reactive IDS. It is not strictly a passive device, but it remains deployed out-of-band. This is one of the areas in which the difference between an IPS and an IDS narrows.
The providers of IPS and IDS systems continually develop new ways to identify threats and circumvent security breaches. Initially, these systems relied on signature-based identification, in which past attacks were analyzed to come up with identifying characteristics (or signatures) that the appliances then search for. The limitation, of course, is that new attacks need to be successfully identified and characterized before they can be added to the search criteria. Statistical anomaly-based techniques were then added so the systems could produce alerts based on traffic that was deemed out of the ordinary. This helps to flag what could be new attacks, but also requires a fair amount of system tuning to limit the number of false positives. Many IPS and IDS systems combine signature and anomaly-based detection.
More recently, rule-based techniques are being used to go beyond simple packet inspection and make more sophisticated predictions based on multiple events taking place on the network. The idea is that if Event A and Event B both take place, neither of them necessarily suspicious on their own, but are then followed by Event C, then it can be presumed an attack is underway. This capability is sometimes referred to as an “inference engine” and can help preempt attacks.
Best Practices for Supporting Security Devices
Whether your organization deploys and IPS, IDS, or both, there are ways to help your security systems be more effective and efficient.
- Fail-Safe Operation: Since IPS devices are deployed inline on the network, they have the potential to cause network disruption should they experience an outage. Every device deployed inline, behind the firewall, needs to be made fail-safe to preserve network uptime. A bypass switch performs this function by continually checking on the status of your IPS and confirming its ability to receive and process traffic (inline mode). If your IPS goes offline for any reason—such as a power or port failure, a software configuration error, or congestion caused by a burst in volume—the bypass switch automatically routes the traffic around the appliance (bypass mode), to keep applications and services responding.
- Zero Downtime Maintenance: In addition to failing open, an external bypass also allows administrators to proactively bypass the inline device like an IPS, to perform maintenance functions without waiting for a network maintenance window. Some administrators refer to this as bypass mode, where traffic is proactively routed around your IPS during troubleshooting or repair. This is something an internal bypass function is not able to do.
- Accelerated Deployment: Deploying an IPS is not a trivial task and the tuning and configuration of a new IPS generally takes at least several hours to complete. To avoid bringing the network down for that long, an external bypass switch can be installed in bypass mode and connected to the new IPS fairly quickly. Since traffic is being routed around the device, this give security administrators the time they need to configure and test the IPS, without impacting network traffic.
- Out-of-Band or Tap Mode: If your organization is new to security monitoring with an IPS, you may want to build confidence using the device before activating it in your live network. Some external bypass switches, such as Ixia’s iBypass, not only allow your IPS to be in inline (inspection) mode and bypass (maintenance) mode, but also in “tap mode,” which means live traffic arriving at the bypass is routed through to the network and a copy of the traffic is sent to your monitoring device. With a copy of the live traffic, you can come up-to-speed using the IPS before switching it to inline mode. An IPS operating in tap mode is essentially functioning as an IDS. In a recent discussion with one of Ixia’s sales engineers, I learned that a lot of customers leave their IPS in tap mode, apparently appreciating the functionality of the IPS and the flexibility of knowing they can switch to inline monitoring at some point in the future.
- Visibility: Attackers look for places to embed code that might be overlooked by your security monitoring devices. Make it harder for them by inspecting as much traffic as you can. Install a security fabric to aggregate traffic from across your network and make it available for inspection and detection.
To maintain a strong security posture, many organizations use both IPS and IDS systems to monitor network traffic. Keep in mind that many attacks are designed to take advantage of known holes in security software or delays in completing system updates. For this reason, it is important to keep security systems operating at full strength using the latest releases.