Which intrusion detection/protection system?

---

Despite a rocky beginning, intrusion detection and prevention systems are an important part of any security arsenal. We road-test six hardware and software-based systems.

---

Intrusion detection systems (IDS) are yet another tool offered to Security Administrators to augment their network security arsenal. IDSes these days fall into two distinct categories: the first are those that are passive they purely watch the data traffic that flows through them, and then capture and log any suspicious databased on policies and rule sets. This data can be examined by the security team and written off as false positives or escalated for further attention.

The second category of intrusion detection systems are those that are active -- they not only detect and log, but also make some attempt to prevent potential threats and attacks from these intruders. These systems are now commonly becoming known as either IPS (intrusion prevention systems) or IDPs (intrusion detection and prevention).

Both IDS and IDP systems apply similar basic methodologies when trying to pick up likely intruders or mischief on the network. The basis of this in most systems is a signature database, which can be regularly updated as new threats are identified.

Security administrators deploy software or hardware remote sensors or agents at key locations within their network, generally on the network perimeter or at gateways with other networks -- basically those that an audit has identified as being good scanning/pickup points where network traffic converges. Behind the firewalls is always a good idea. The remote sensors then report back to a central machine that manages the global policies for the system and stores the data in one location for easy logging, alerting, and reporting.

The IDS/IDP sensors deployed on the network tap into the data streams that are passing by their point and they then analyse the traffic and try and match it against the signatures in their databases. Depending on the threshold set, when a match is made the system then activates and performs whatever task the administrator has set for it, be it drop the TCP connection, alert the security team, or simply log the details for later analysis.

Naturally the performance of the network needs to be assessed prior to deploying a sensor to ensure that the sensor chosen can match the maximum traffic expected through that particular tap location. If a sensor can't handle the throughput, it will result in lost packets (therefore not checking all the data passing through). Even worse, it can impact on the overall performance of the network by creating a bottleneck. It is definitely better to overestimate rather than underestimate the potential network traffic at the point the sensor has been deployed. This approach to IT security has attracted its fair share of critics since the first systems came into play, mainly due to the large number of false positive triggers going off. Each type of system IDS/IPS has its pros and cons, and the decision to deploy one or the other is up to the security team given its own resources, unique network environment, and the threats posed to it.

Alternatively the option exists to deploy more than one type of system to give the network multiple levels of security. For example, you could couple a perimeter hardware solution monitoring the ingress/egress points of the network with host-based software covering critical machines in the network infrastructure.

The biggest threat to IDS/IPS deployments is that of the security team becoming desensitised to the data being logged over time. This is something that needs to be taken into account when creating security policies. Even if there is a high rate of false positives when a system is first deployed, it needs to be constantly tweaked to reduce the number over time, and to build a practical, robust system that may one day save the company data and the security administrator's job.

Where to put your sentry?
The most common place for an enterprise to deploy an IDS/IPS is behind the firewall. This is because IDS/IPS systems are basically data traffic analysers, which involves a large amount of capture and logging of that traffic. Depending on the company's required level of logging, these devices can generate overwhelming volumes of log files which need to be sifted through. This can be a mind-numbing task for security operators, yet it is crucial that it is performed accurately so any potential threats to the business can be discovered and warded off in the future.

Anyone who has actually gone through firewall logs -- and seen the sheer number of packets turned away over the course of a very short period -- will realise there is absolutely no sense in deploying the IDS/IPS in front of the firewall. Think of IDS/IPS as the second line of defence or interception within your company's security cocoon. The firewall filters the most obvious unwanted data while still allowing some potentially questionable packets through, that masquerade as legitimate network traffic. The IDS/IPS system then receives all those transmissions and handles them. For this reason, while some firewalls have quite advanced logging features, they generally log too much unnecessary information and can be cumbersome to run reports from the data they generate.

---

Quick link to the reviews:

• Computer Associates
• Juniper Networks
• McAfee IntruShield I-1200, I-2600 and I-4000
• McAfee Entercept 5.0
• Snort
• SonicWALL

---

IPSes take the logging role one step further by allowing the security team to create and compile complete lists of various attacks and attempted attacks against the network. These can then be used for management/threat risk analysis or even presented as evidence in court cases should the suspected perpetrator be apprehended. They can also be used to study and define patterns which may point to previously undetected network weaknesses, and enable the team to build their own ruleset or signatures to apply to their unique situation.

IPSes take their task another step forward by being able to not only monitor and log traffic according to their user set rules and policies, but they can also actively block, drop, or handle the traffic in specific ways.

IDS/IPS technologies can also can help mitigate risk for the security administrator. They not only create prodigious amounts of log data, they can also work with system administrators' reports to create policies which will launch certain procedures when triggered. In some cases, these systems can be used to track users behaving suspiciously or out of character on a network, even on trusted accounts. In some cases, when used in a "honeypot" environment, the intruders can be routed to a virtual network and all their information tracked and captured in the hope of providing the necessary forensic reports of their activities and in turn allowing law enforcement agencies to capture them physically. All that is another story, but by now you should have an idea the IDS' role in an organisation.

In short, IDSes are sophisticated virtual alarm systems for networks designed to detect and alert security staff of a possible intruder.