At one time, intrusion detection systems (IDS) and intrusion prevention systems (IPS) were thought of as “the answer”...
to the problem of consistently detecting attacks within the enterprise. Lately, IDS/IPS technologies have been written off by many as antiquated, ineffective and of no use today. The truth lies somewhere in between these two extremes. Realistically, IDS/IPS technologies are one vital component of a broad attack and vulnerability detection system, working alongside many other types of enterprise security controls
IDS/IPS technologies are not constantly evolving today as they were 10 or 15 years ago, but significant innovations and changes are still being made that improve their detection capabilities. This tip will bring you up to speed on the latest innovations, new features and other notable changes in IDS technologies and IPS technologies.
Use of reputation services
Many IDS and IPS products, both network-based and host-based, have recently added reputation services. These services have been used by other types of security controls for years. Reputation services collect information on the benign or malicious nature of domains, IP addresses, application protocols, physical locations and other aspects of computing activity. IDS/IPS systems then use this information to determine how likely new activity is to be benign or malicious.
This information can be particularly valuable for prioritizing the verification of IDS/IPS alerts. For example, an IDS/IPS sensor might alert on various types of unusual activity, but a history of other malicious activity from one of those IP addresses might raise its priority level for analysts by indicating it is less likely to be a false positive.
Improvements to wireless IDS/IPS
Wireless IDS/IPS technologies are newer than other forms of IDS/IPS, and they continue to expand their capabilities as wireless technologies evolve. For example, most wireless IDS/IPS technologies have added support for IEEE 802.11n transmissions since that standard has been finalized.
It’s a good idea for an enterprise to use wireless IDS/IPS regardless of whether it supports wireless devices. If the enterprise supports wireless, including BYOD (bring your own devices), it’s more important than ever to monitor that activity for misconfigurations and attacks. If the enterprise doesn’t permit the use of wireless technologies, wireless IDS/IPS can still detect unauthorized use and even help to physically locate where the wireless activity is occurring.
Enterprises should also take advantage of wireless IDS/IPS-like capabilities that may be provided by their enterprise mobile device management (MDM) software. Such software is increasingly being deployed within enterprises to help organizations manage smartphones, tablets and other mobile devices.
Inline inspection of SSL-encrypted traffic
With the increasing use of HTTPS and other encrypted protocols, network IDS/IPS sensors have generally become less effective at examining network traffic. However, a few network IDS/IPS products have recently added the ability to be deployed inline and inspect SSL-encrypted traffic. These products basically act as a proxy, establishing two SSL connections: one from point A to the IDS/IPS sensor, and one from the IDS/IPS sensor to point B, instead of allowing a single SSL connection from point A to point B, passing through the sensor encrypted. In essence, the device is able to decrypt, inspect and then re-encrypt an encrypted data packet, sending it on its way with no noticeable delay. However, it also inserts a proxy into connections, which has its own security and reliability implications. Enterprises may prefer to use host-based IDS/IPS instead of network-based IDS/IPS for inspecting SSL-encrypted traffic.
IDS/IPS for virtualized environments
The rise in cloud computing has created a corresponding need for cloud-specific security technologies. Fortunately, the hypervisor (virtual machine manager) provides an ideal spot for monitoring network activity within a virtual instance and between virtual instances, better known as introspection. Some hypervisors provide their own intrusion detection technologies, while others can pass the information collected via introspection to external security controls, such as a standard host-based IDS/IPS, for examination and alerting. Enterprises should ensure that, when a virtual instance is moved from one cloud server to another, its security policy (including IDS/IPS configurations) is moved along with it.
About the author:
Karen Scarfone is the principal consultant for Scarfone Cybersecurity in Clifton, Va., providing cybersecurity publication consulting services. Karen was formerly a senior computer scientist for the National Institute of Standards and Technology (NIST), and she has co-authored more than 50 NIST publications, including Special Publication 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS).