IPS/IDS. Systems for Detecting and Preventing Cyber Attacks

The sphere of informational security, the branch of industry that is targeted to secure our digital data (also called infosec), is always developing new products and trying to create new mechanisms to protect users from hackers and cyber criminals of any sort. Traditional tools like firewalls and anti-malware software no longer work as effectively as expected even when it comes to protecting a small company that doesn't have a lot of data because hackers are becoming ever more inventive at getting around them.

In this article we will discuss IPS/IDS solutions, the only way to protect modern network infrastructure. Hostman uses this mechanism to protect its users from all types of cyber attack.

What is wrong with business network security?

Corp-networks are usually designed to have special endpoints that connect several different networks. These networks can be private or public. The main job of developers and administrators is to make these networks as secure as possible without sacrificing their accessibility to regular users (out of corp-network). Nowadays, cyber attacks can be so complex that even the most powerful security systems have a hard time protecting networks from unauthorized access. And they become even harder to detect if hackers get through traditional infosec-solutions like firewalls and antiviruses. Malware can send the server data that seems "normal" for anti-malware software (because it is professionally disguised). That's why modern companies like to implement IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) to protect themselves.

What are IDS and IPS?

IPS/IDS is a combination of software and hardware tools that prevent cybercriminals from accessing the secured network. These systems can automatically detect intrusions, block them and notify administrators of attempts to get unauthorized access to the server. In terms of technological implementation IDS and IPS are not dissimilar but they solve different problems so you need to be able to distinguish them. IDS stands for Intrusion Detection System and IPS stands for Intrusion Prevention System. The first one detects attacks and unexpected traffic and the second one prevents them.

How are IPS/IDS different from firewalls?

Less experienced administrators might not understand why they have to use IDS or IPS when we all have firewalls that actually do the same thing when filtering user traffic. But this is a delusion.

The main function of a firewall is to control access on the network level. Firewall uses certain procedures to pinpoint which computers can communicate with other devices connected to the same network. It can admit traffic that is described as safe in the list of rules (those are prerequisites made by admins or devs). And can restrict all other connections that don’t match the list of rules. IPS/IDS work in a different way. They block the potential threat and admit anything else that does not look suspicious.

There are both conceptual and technical distinctions between both systems. Firewalls are great at protecting the server from threats of OSI-level 2, 4 but almost useless at higher levels because of the lack of necessary software utilities. This is the main reason why firewalls are only usually used to control session parameters like connection status, port numbers, and IP addresses. IDS and IPS can be useful at higher levels because they can analyze not only headers of request but also the main content. Moreover, they can decompress the data passed to the server to inspect it in a more scrupulous way so there's less chance of a virus getting into the secured system.

Intrusion Detection System (IDS)

IDS is not a wholly new way to protect servers. Tools of this kind were invented about 30 years ago and were used in an operating system called SINEX (UNIX-type OS for hardware made by Siemens) to prevent users of terminals from accessing resources of mainframes.

Functions of IDS

So we know what IDS is but what can it do? IDS is a system of detecting cyber attacks. It continuously scans traffic, registers any suspicious requests, and notifies administrators of potential threats. An IDS usually monitors traffic and logs. The system searches for any sign of malware and reports it as soon as possible, sending messages to the console, email address, or via SMS.

IDS can register different types of attacks (DDoS, Bot C&C, P2P, SQL injections, IMAP, POP3, VoIP, etc), detect attempts to change user privileges, get unauthorized access to secured data or open some ports. It can also detect different types of malware (including trojans).

You should remember that IDS is not a tool that controls the network itself. It only helps to find threats and is better described as a utility that shows infosec-specialists how secure the network is at any given moment and what you can do about it. If you've ever used tools like Wireshark you’ll understand how IDS works. The difference is the context (Wireshark inspects a different kind of connection).

Classification of IDS

There are different detection systems: hardware and software, open-sourced, and proprietary. We will look closer at two types of classifications that should be considered when choosing a security system.

The first one is a classification by the type of analyzed traffic. They can be:

• Based on using protocols PIDS
• Based on protocols APIDS

One of them monitors communication protocols. The other analyzes a specific list of protocols that includes PHPIDS, GreenSQL-FW, and Mod_Security.

The second one is a classification by the position of IDS in a network infrastructure. They can be:

• Host-based (HIDS)
• Network-based (NIDS)

HIDS monitors a single host while NIDS monitors the whole network segment it is installed on. Network IDS is more versatile because they use a deep package inspection system that helps in analyzing all the traffic passed to the server. But this kind of IDS is more of a power hog than other types so you should be prepared to sacrifice some hardware resources to use it.

There are different types of IDS. For example, VMIDS imply using virtual machines so administrators and developers don't have to install the whole software stack on a separate device.

How does IDS detect intrusions?

Usually methods of detecting intrusions are divided into two groups:

• Detecting abuse (signature IDS)
• Detecting anomalies

Detecting abuses

Some IDS detect abusive traffic by analyzing traffic and logs. Simply put, this method uses descriptions of attacks that already exist. The security system processes the traffic and tries to find abusive patterns that may signal an attempt to attack the server. Most IDS use this method and is a huge advantage to it. It actually tells the administrator why IDS reacted to some of the requests to the server. It is possible to manually check signatures and find out why IDS decided that a given chunk of traffic seemed to be dangerous. The only caveat is the database of signatures that quickly becomes outdated. The administrator has to update it as often as possible.

Detecting anomalies

This method works in reverse. We know what normal behavior of applications is and what harmless traffic looks like. The security system uses this data to detect any unexpected requests or actions. This kind of IDS was invented 30 years ago. Nowadays, engineers use machine learning technologies to make IDS more reliable and proactive.

There is one big disadvantage of such IDS. They must be refined by working with traffic which is considered normal. It takes time and obliges administrators to use it on some networks and nodes ineffectively. If something goes wrong and IDS reacts to it, administrators will get insufficient data to act (and the complexity of analyzing the logs will grow exponentially with the number of indicators used to distinguish "normal" traffic).

Anyway, there are problems that anomaly-searching IDS can solve better than any other security system. For example, there are no rivals to this type of IDS in detecting and preventing DDoS attacks.

Intrusion Prevention System (IPS)

When IDS can only notify you about some threats, IPS can take action. Using IDS administrators have to reconfigure the firewall manually so attackers can't get access to secured data. It takes time and usually the server has to react to any threat in real-time so there are no consequences. That's why we need IPS. They do the job and can block suspicious connections if necessary.

Different types of IPS and their capabilities

Actually, IPS and IDS can be the same device which is differently set up depending on the issues that administrators and developers want to solve. IPS itself can be described as a hybrid of IDS and firewall because the same technologies underlie both security systems.

Regarding classifications, they are mostly the same because professionals divide IPS into two main categories: HIPS (Hosting-based) and NIDS (Network-based). NIPS prevents any cyberattacks by embedding itself in one part of the network channel and filtering all the traffic passing through. In most cases, such types of IPS have some kind of remote interface that accepts data and an intrinsic interface that passes legitimate traffic on.

On top of that, some specialists divide IPS into:

• those which monitor traffic and compare it to any signatures that are already known to be dangerous;
• and those which try to find suspicious traffic based on protocol-analyzing systems.

The second one makes it possible to protect the network from unknown classes of attacks.

IPS may react to attacks in different ways. The most common form of protection is the reconfiguration of communicational hardware (which makes it impossible to use it in a harmful way). Also such methods as blocking off some users or hosts, disconnecting users or applications via TCP RST or firewall might be used.

Conclusion

In the final part of this article, we will pinpoint specific tasks that can be performed using IPS or IDS and outline the main requirements that administrators and developers have to consider when choosing security systems for their projects.

Security systems have two main functions. First, they develop a database of threats that can be used as evidence when infosec-specialists start to investigate any incident connected to data breach or cyber attack (as an example, when a cyber criminal uses company resources for a period of time). Secondly they monitor any potentially dangerous activity in the analyzed network. Consequently, there are two requirements:

• completeness of the database that consists of existing exploits and vulnerabilities (signatures which are used to detect any cyberattacks);
• and reliability of the whole system, so it won't turn off and stop gathering useful information.

A system that is used to prevent hackers from accessing secured data tries to normalize traffic via blocking attacks and minimize damage caused by cyber criminals. The requirements for IPS are a bit different. Firstly, such a system has to be as reliable as possible. There should be no reason for it to stop working and failing to secure the server. Malfunction of the IPS can lead the whole infrastructure to shut down active connections. Secondly, such a system has to have a minimal amount of fake detections.

If you want to implement a modern and multifunctional security system for your server you should consider setting up a device called UTM. It is a piece of hardware that includes all the protection components of IDS and IPS. It works as a firewall, proxy-server, anti-spam, content filter, and anti-malware software.