Intrusion Detection and Prevention Systems

You may not be aware of Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) as they relate to Information Technology (IT), but the concept is simple enough – an IPS is like the lock on your front door, it keeps people from being able to simply walk in and go through all of your things. An IDS would be like the security camera over your door, recording everyone who attempted entry. There have been many papers written on the value of one over the other, but the truth is a comprehensive security approach should contain both.

In the example above, having just the lock might protect your property, but you would have no way of knowing that strange people show up throughout the day while you are at work and try to enter your house. Having just the camera, you would get notified each time someone entered – but there would be nothing stopping them from walking in, eating all of your cereal, and stealing all of your flip flops. Sure, the lock alone might stop the intrusions and the camera allows you to at least know you’ve had unwelcome visitors… but a far better solution is to have both. Having both allows you to determine how big the threat is, where it is coming from, and whether further measures should be taken to protect your valuables.

How does this apply to me?

In IT, the concept is exactly the same – you want to know when your network is under attack and you want the ability to automatically block access. IDS and IPS devices give us that capability. With most smaller, private and corporate networks, the router/firewall typically handles both roles. They are, usually, very easy to configure and they handle the IPS role automatically. They do this by using firewall rules and a signature database of known attacks. Firewall rules are basically just rules that tell the router to allow traffic from certain areas and deny it from others. For example, a common default rule is to Deny, or block, all traffic originating from the Internet from accessing anything on the LAN (your local network). This means that by default nothing originating from outside of your network can get in. This is your locked door. It will keep you pretty safe…but, unfortunately, there are ways around or through it – like pretending to already be inside your network (Spoofing), or intercepting legitimate data packets and altering their payloads, or simply inundating your network with bogus requests in an attempt to crash it.

…which brings us to the signature database. Symantec defines attack signatures as “…a unique arrangement of information that can be used to identify an attacker’s attempt to exploit a known operating system or application vulnerability”. The signature database is a list of these attack signatures, which is being updated constantly. These signatures are needed so the IPS/IDS can immediately recognize when something is trying to circumvent your locked door. When the IPS/IDS recognizes the signature of one of these attacks, it automatically blocks the connection.

What else can I look out for?

It is because of the effectiveness of IPSes and IDSes in detecting and blocking data attacks that hackers have found it much easier to trick a user, who is already on the LAN, into opening the door for them. This is called Social Engineering and involves things like sending fake emails that look legitimate (phishing), calling users and pretending to be from management or technical support, or simply walking into the building and reading the passcode where you have it taped to the side of your monitor. Unfortunately, the only solution to combat social engineering is periodic training of the users on your network in good security practices and what to watch out for.

In conclusion, Intrusion Prevention Systems and Intrusion Detection Systems are a major step in establishing security on the network. With them in place, you’ll deter many of the potentially attackers looking for easy targets. These systems do such a good job that hackers often rely on social engineering to trick the users into allowing them access instead of trying to break in.

If you have any questions regarding Intrusion Detection/Prevention systems or any other related networking issues, call SandStorm IT at 901-475-0275 and speak to one of our knowledgeable networking experts.