Tuesday, October 4, 2011

IDS/IPS 101-2

The difference between IDS and IPS is both in form and function. At a high level, an intrusion detection system is a passive device that monitors packets and identifies attacks using signatures and intelligence built into the IDS engine. The usual example is the string "get /etc/passwd", which used to mean (before shadowed password files) an attempt by someone to read the password file on a Linux/UNIX system. The IDS detects the string in the packets, and depending on how it's configured, alerts the analyst by some means, such as an email or via syslog or SNMP. This is a passive monitoring of the event (though some IDS have the ability to "shoot" down sessions by spoofing RST (reset) packets to both ends of the connection.) The IDS will have a management port with an IP address on it that allows it to forward it's data on to a collection/management console and allows remote access to it for administration (this may be done via an OOB (out of band) private network to limit access to the systems. It's monitoring port or ports will connect to a tap inserted at the desired point in the network, or a SPAN port on a switch.
Intrusion prevention systems sit inline, that is, they are connected directly to the network and all packets must pass through them. This is done via two NIC's (network interface cards), each attached to one end of the connection, such as between a firewall and a switch. Since all traffic passes through the IPS, like a router, the system has the ability to shun sessions it detects as being malicious by simply dropping the packets. No need to generate additional traffic in the form of reset packets. No notification is made to the attacker that the active response is taking place. The session, as the name implies, is prevented from continuing. Of course, if the event is a false positive, the very real possibility of dropping legitimate, business related traffic exists. Careful tuning and monitoring of the traffic must take place on an on-going basis to ensure the IPS doesn't interfere with normal traffic. Since the IPS sits inline, no tap or SPAN port is needed, but redundancy must be dealt with in case the device crashes or reboots. Most IPS are configured to fail open, which means if the software fails and stops working, the device will route all packets. Even then some traffic may be prohibited in the process of failing over. Some shops use a by-pass tap that routes all packets through the IPS as long as the interfaces are detected as being connected, but bypasses the device and routes the traffic directly if the interface goes down. Other use a second IPS, set up in fail over mode, so if the first device goes down, the second IPS takes over. The advantage here is twofold: you do not lose connectivity, the primary concern, AND you also do not lose your intrusion detection and prevention coverage while the first device is offline.

No comments:

Blog Archive