IDS/IPS general function

in this blog we talk about the general idea about using and IDS or IPS. let’s recall that IDS/IPS stands for intrusion detection and prevention systems. We give examples of implementations of vendors and leaders of the market.

scope of an IDS/IPS

let’s start from a basic setup: clients that try to access ressources on hosted server via a network. what we may qualify as intrusion is by experience, by comparison to normal model of function, or some kind of probabiliy… and may concern the whole chain: hosts (operating system, file ressources, etc.) and network ressources

the figure shows a simple IDS/IPS deployment at hosts level (client and server) and network level (appliances in our case)

different approaches

to qualify a system or network activity as an instrusion 3 main techniques are put into action: by exprience (sort of an intelligence), by normalization or by likeliness (kind of probability)

intrusion detection by experience

experiencing an intrusion is a way to model its behavior and systematically identify it. we talk about an intrusion signature kind of indentificator of an already identified intrusion activity. it is sufficient at IDS or IPS level to match patterns of the current traffic per example to the signature to state if the ativity is legitmate or not. we understand that the more the historical data is diverse and important the more the identification of threats is efficient

an intrusion is not a normal activity

in addition to information about intrusion that we gain by experience, we could choose another approach that is based on our deep understang of how our system and network ressources may be used normally. any change or deviation to this way of operation (or standard) should alarm on the possible violation of the security policy.

give it a probability

working by experiencing all the possible threats or qualifying the normal activity maybe very hard to achieve and would take a huge amount of ressources and time to be accurate. meanwhile working by a kind of probability based on some kind of likeliness to be or not to be subject to type of threat may be a rapid way to deploy IDS/IPS to overcome limitations of the other two approches

what to do next

the IDS and IPS systems in addition to be classified based on their scope (host or network) and approach (experience, normality and probability) could also be classified by the action they could have on the system or network. an IDS/IPS system may just alarm about a condition and give hand to another systems, or take effective action (block access, reroute traffic, etc.).

what implementation

another criteria to choose an IDS/IPS system is its implementation: hardware, in clusters, as virtual machine, in the cloud… in path or out of path. because those systems integrate to the whole network, compatibility of function and operation with the other global network parts is required to keep the standard.

being in path mean that the traffic get physically through the system, if the system is not available the network is down; on the other hand, when the system is out of path, the traffic flow is not affected in case of the system fails and other mechanisms are put into play to allow, reroute (bypass the system) or block the flow.

market leaders network and host based systems

network oriented systems

related to the business research insights by 2023 the top ten of IDS and IPS companies are: Checkpoint, Cisco, Corero Network Security, Dell, Extreme Networks, HP, IBM, Juniper Networks, Mcafee and Nsfocus. they’re the leader of a market that is evaluated to 3.2 billion USD where the banking is more demanding (more than the half of the market share).

in the Checkpoint SG (Security Gateway) R70 the inspection is multilayered and framed as following: CoreXL/PSL (Packet Streaming Layer), IPS Unified Streaming, Protocol Analyzer (FTP), CMI (Protections and Context Matching), PM (first, second tier and accelerated paths), CMI final decision. In this processing, the flow is first parsed to the protocol to find out the corresponding context to which protections are available.

host or system oriented systems

concerning the host based IDS and IPS systems, a top 10 ranking is provided by Clear Network: AIDE, BluVector, Checkpoint Quantum, Cisco NGIPS, Fail2Ban, Fidelis Network, Hillstone Networks, Kismet, NSFocus, OpenWIPS-NG…

The AIDE kind of detection and prevention is very specialized to Linux systems (and MacOS) and to the integrity of the files.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You May Have Missed!

error: Content is protected !!
Table of Contents