Categorize different types of network security applications and methods. This chapter describes IDS and IPS devices, vulnerability scanners, honeypots, and honeynets. You can learn more in our CompTIA Security+ course.
IDS vs IPS
IDS vs IPS devices function by performing traffic inspection to detect unauthorized traffic that tries to enter the enterprise network. Their main role is to monitor networks for intrusions or other malicious activity and they can come in multiple forms:
- Hardware appliances
- Software solutions
- Virtual solutions
The major difference between Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) is that IPS devices operate inline with the traffic (meaning they are placed in the middle of the traffic flow and all packets pass through the inspection device), while IDS devices only receive a copy of the traffic so they can analyze it.
Based on their role in the network, IPS vs IDS solutions can be categorized as follows:
- Behavior-based: works by monitoring traffic behavior and comparing it to traffic patterns defined as baseline
- Signature-based: works by inspecting packets for malicious signatures
- Network-based: monitors the entire network for suspicious traffic and analyzes protocol activity
- Host-based: software applications that protect servers or user machines by analyzing events occurring within that host
Intrusion detection, even though it is an old technology, is still used because there are still places where you do not want to have a sensor running inline with the traffic. Having a promiscuous mode (an IDS) device that captures and analyzes traffic, for example in the DMZ, is still a valid approach in modern networks and the underlying security policy will be the same, whether you are deploying IDS or IPS.
The actions taken by a device in a promiscuous mode include sending alerts, alarms, log messages, or SNMP traps. On the other hand, when you add an inline sensor, the device will take more aggressive actions, like dropping packets or blocking the source IP address.
Sensor placement is a very important aspect, as IPS devices should be placed strategically throughout the organization, such as:
- Outside the firewall
- Inside the firewall
- On the same VLAN as the critical servers (DMZ or server farm)
A very important IPS/IDS placement issue is considering the effect your design will have on the network traffic. Promiscuous mode (IDS) will not have any effect on the traffic because you are basically using SPAN (port mirroring) to send copies of traffic over a trunk port to a sensor. However, when deploying IPS solutions, it is very important for the device to be able to process all the traffic that flows on that particular segment, because all the traffic passes through the IPS device.
Figure 32.1 – IPS Deployment Models
When placing the IPS sensor on the enterprise network, there are several options to choose from, as depicted in Figure 32.1 above:
- Two Layer 2 devices (without trunking): This is a popular campus design, where the sensor is placed between two Layer 2 devices (a Layer 2 switch and a transparent mode firewall). The IPS can be between the same VLAN on two different switches or it can be between VLANs with the same subnet on two different switches.
- Two Layer 2 devices (with trunking): This is similar to the previous model, with the difference of having a trunk between the two devices. This is a common scenario that provides protection for several VLANs from a single location, with the sensor being placed on a trunk port between switches. The sensor can protect a pair or a larger group of VLANs.
- Two Layer 3 devices: This design model involves placing the sensor between a Layer 3 switch or a router and a firewall that is running in routed mode (two Layer 3 devices in the same subnet). This deployment option is common in the Server Farm module, the Enterprise Campus module, and the E-commerce module. This is much easier to configure since the integration takes place without actually having to touch any of the other devices, unless the IPS module is integrated in another device.
- Two VLANs on the same switch: This model involves sensor bridging VLANs together on the same switch by bringing packets in on one VLAN and sending them out on another VLAN. This is a common scenario with some appliances.
Some of the challenges of deploying IDS and IPS include the following:
- Asymmetric traffic flows: Usually, the network packet flows are symmetric, meaning they take the same path through the network in both directions (from the source to the destination and from the destination to the source). However, a lot of newer network designs do not have symmetrical traffic flows, as they are engineered to take advantage of all the links in the network, especially the low-cost ones. Asymmetric traffic flows exist if you want voice traffic to follow a different path than the data traffic path and this is a common issue with the emergence of any-to-any traffic and VoIP services. This problem should be carefully managed and network designers should be aware of traffic patterns that can influence IPS sensor deployment.
- High availability issues: Problems might occur if inline placed sensors go down, especially when they are configured in a failed close deployment type, meaning any hardware failure will block all the traffic. The IPS device must be carefully placed in the network and configured with high availability in mind (active/active or active/standby) to avoid major service outages on the network.
- Choosing an appropriate IPS device: You can use a wide variety of IPS appliances with different features and port densities. Special care must be taken when virtualizing the IPS service because this adds more complexity, as virtual sensors have different features that depend on platform and licensing models.
- Choosing the appropriate management and monitoring solution: Complex IPS deployments need robust management and monitoring solutions that can integrate with the respective appliances.
- Regularly updating IPS signatures: Something that sets IPS sensors apart from other security devices (like firewalls) is that signatures have to be updated on a regular basis. It is critical for the network operations team to ensure that new signature definitions are regularly downloaded and installed on the IPS device to keep up with evolving threats and vulnerabilities.
Vulnerability Scanners
Vulnerability scanning is the action of performing a series of non-intrusive tests on the network to detect possible security and privacy breaches within the infrastructure. Unlike a penetration test, which is often intrusive, a vulnerability test consists of a series of passive activities. These types should be part of the organization’s security policy and have a proactive nature. This means that they should be performed before an attacker tries to access the network.
Some of the activities that are part of a vulnerability test include the following:
- Identify network devices (platform, model, interfaces, capacity)
- Identify network topology (how are the devices connected)
- Scan for open port numbers on network devices
- Perform tests from both inside and outside the network, as attackers can try to break in from both sides
The information gathered during a vulnerability test should be carefully analyzed and the relevant parts should be summarized in a vulnerability report that can be presented to upper management. Measures should be taken to mitigate the risks presented in that report.
The way vulnerability scanners function is by going through a list of vulnerability signatures and trying to identify them on various systems. The scanner software should be periodically updated because new vulnerabilities are discovered on a regular basis.
A popular vulnerability scanner that comes in both a free and a commercial version is Nessus. The screenshot below shows a sample vulnerability report generated by this tool:
Figure 32.2 – Nessus Vulnerability Report
Honeypots and Honeynets
A honeypot is a security tool that allows you to attract possible attackers in an isolated environment, where they cannot do any harm to the network. Honeypots are controlled environments in which you can analyze the attackers’ behavior and gather information on the types of techniques they are using to get into the network.
Modern attacks are almost always automated, using a series of scripts to try different methods of accessing resources. If you are using a honeypot, you can see the exact techniques that are used and you can use that information to protect the network.
Honeynets are chains of honeypots on the same network or extended between networks. These allow you to gather more information that can be correlated to provide more insight on the attacker’s activity.
Note: Honeypots are usually placed in network segments isolated by firewalls to minimize the chances of an attacker getting access to the real internal network. |
Summary
IDS and IPS devices function by performing traffic inspection to detect unauthorized traffic that tries to enter the enterprise network. Their main role is to monitor networks for intrusions or other malicious activity and they can come in multiple forms:
- Hardware appliances
- Software solutions
- Virtual solutions
The major difference between Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) is that IPS devices operate inline with the traffic, while IDS devices only receive a copy of the traffic so they can analyze it.
Based on their role in the network, IPS and IDS solutions can be categorized as follows:
- Behavior-based: works by monitoring traffic behavior and comparing it to traffic patterns defined as baseline
- Signature-based: works by inspecting packets for malicious signatures
- Network-based: monitors the entire network for suspicious traffic and analyzes protocol activity
- Host-based: software applications that protect servers or user machines by analyzing events occurring within that host
Sensor placement is a very important aspect, as IPS devices should be placed strategically throughout the organization, such as:
- Outside the firewall
- Inside the firewall
- On the same VLAN as the critical servers (DMZ or server farm)
Vulnerability scanning is the action of performing a series of non-intrusive tests on the network to detect possible security and privacy breaches within the infrastructure. Unlike a penetration test, which is often intrusive, a vulnerability test consists of a series of passive activities. These types should be part of the organization’s security policy and have a proactive nature. This means they should be performed before an attacker tries to access the network.
A honeypot is a security tool that allows you to attract possible attackers in an isolated environment, where they cannot do any harm to the network. Honeypots are controlled environments in which you can analyze the attackers’ behavior and gather information on the types of techniques they are using to get into the network. Honeypots can be grouped into honeynets.
Read the Cisco IDS vs IPS article.