Perimeter 4min de Leitura - 13 de September de 2017

How to better position IDS in a network architecture?

Camera de vigilancia posicionada ao lado esquerdo da imagem

This post is also available in: Português English Español

An intrusion detection and prevention system is a very important asset in an information security architecture. They are sensors that placed in various positions in a network topology to increase the security of the environment.

The primary purpose of an IDS/IPS is to detect signatures of known attacks, as well as anomalous packet behavior or data flows that occur on computer networks. This allows companies to know what happens in networks, especially in the interfaces of communication with the Internet.

Placement is part of a strategy that needs to be well thought out, since there are of course different trading formats for each model that can be applied. The models are not exclusive but need to be well understood to validate the desired efficiency in the environment.

If you are not familiar with the IDS/IPS term and want to know a bit more about the classifications and divisions, the post IDS: history, concept and terminologys highly recommended; reading takes no more than 7 minutes.

Difference between IDS and IPS

An important aspect to be understood is the difference between an intrusion detection system and a prevention system. The nomenclature is very clear, helping us to understand its positioning in a security architecture.

An intrusion detection system is intended to monitor network traffic and point to what may not be legitimate. A traditional packet filter does not have this capability because its purpose for analysis is limited to evaluating the headers of network protocols.

In this way, IDS can analyze the package as a whole and search for anomalies, alerting the security infrastructure to decision making, either by sending disconnections to source and destination in a unidirectional format, or by simply feeding an alert database.

The basic difference, which is even evident in the nomenclature, suggests that one of the devices detects, and the other prevents. The prevention of an IPS is carried out because it is positioned in such a way that the traffic, necessarily, has to go through the device to reach other networks, and therefore, in the face of some abnormality, actions can be taken in every sense of the connection.

This can be very interesting to say to the point that IPS are superior to IDS. This is not true, both are complementary and the complexity and risk of IPS in a network architecture often prevents them from being used in certain situations.

When IDS presents some type of problem, it stops executing its function but communications continue flowing normally, in spite of the risk. An IPS, on the other hand, has the potential to make networks unavailable and may have a negative impact on the business.

This is a strategic security issue and the size of the budget available, but IDS sensors can be scattered at different points in the network, whereas an IPS can be used in a higher risk bottleneck where unavailability is better than damage to information.

False positives and negatives

Before entering the architectures, it is interesting to understand what false positives and negatives are, as in the universe of IDS/IPS these terms are commonplace. A false positive is a legitimate network event that has been alerted by the solution as a potential problem.

Conversely, a false negative is a malicious event that occurred but was not detected by the security architecture. False positives should be very well parameterized at the time of a deployment, avoiding excess waste for analysis, putting the solution itself in disrepute.

IDS/IPS Architectures

There are many ways to connect these softwares or devices on a network, the basic rule is that it must be allowed to capture and monitor network traffic. In this sense, there are 03 models:

  1. Switch spanning port: a port of a switch where traffic can be mirrored/viewed, allowing the sensor to collect network traffic and make one-way disconnects;
  2. Network tap: an external physical device, or a port, that collects traffic at the bottleneck/uplink of internal or external networks;
  3. Inline: physical device placed in the middle of two segments, where cables are physically interconnected and go through their processing before going to other network equipment (such as switches or routers).

Earlier it was mentioned that an IPS does not override the function of an IDS, however this needs to be better understood. In essence an IDS has no control over network traffic, it only monitors them, and can inject a disconnection unilaterally. IPS centralizes traffic and therefore may not route the connection forward if it detects any anomalies.

In a distributed network, several IDS sensors can be placed at bottlenecks between networks, collecting all events and sending it to a centralized processing base. In this model, we have a monitoring of the internal activities of the networks, being able to understand malicious activities within the business itself.

An IPS, on the other hand, can be positioned on the perimeter of the internet, high-quality hardware and the ability to process huge volumes of packages and ensure greater security as the threats that come from the internet.

For a company that is starting its strategy with detection systems, which does not have great investment capacity, it is always better to work with an IDS, either active (generating disconnections for threats) or even passive (only to have visibility of events and justify the evolution of investments).

Therefore, there is no better architecture or positioning; all this will depend on the need of the environment, the maturity of the business and the budget available to implement this type of solution, centralized, or decentralized.

Software versus hardware

Some IDS/IPS solutions are integrated with UTM or NGFW Firewall products. This is very good for a good part of the business, for characterizing an extra layer of security within an architecture that, by essence and concept, is already multilayered.

Usually these devices, software or hardware, are positioned between the Internet and internal networks, so many security incidents are already treated at this layer, without reaching the internal network, demanding the action of endpoint solutions and so on.

However, thinking about these solutions for each internal network interconnection can be somewhat expensive, and this is not specialized. In the same way, in large companies and providers, with a very large volume of traffic, this type of architecture is not sustainable.

In these cases, robust hardware is used, which has high packet processing capacity, and smaller devices, distributed in more internal layers of the networks. However, this is an exception for most of the market since it requires investment substances for structuring these architectural formats.

The design of an ideal structure, in the case of IDS/IPS, depends on the reality and maturity of each business, and there is no ready rules. The most relevant, for companies that intend to take the first step in this direction, is to enable the implementation of a solution minimally feasible, as this will allow the creation of visibility on the environment, besides providing an increase of security to the corporate structure, facilitating identification of opportunistic or targeted attacks.

If you still have questions about how to implement an IDS/IPS in your company or are looking for a security solution with this feature, feel free to talk to one of our experts.

Keep reading

[latest_post type=’boxes’ number_of_posts=’3′ number_of_colums=’3′ order_by=’date’ order=’ASC’ category=’problem-recognition’ text_length=’100′ title_tag=’h4′ display_category=’0′ display_time=’0′ display_comments=’0′ display_like=’0′ display_share=’0′]

This post is also available in: Português English Español