What is (an) Intrusion Prevention System?
How to Build up a Cost-Effective Intrusion Prevention System Framework
This post is also available in: Danish
Intrusion Prevention System may very well be the next milestone in proactive network security. The reasoning behind the statement is not hard to grasp – a June 2020 study, focused on the Asia-Pacific markets, found a 25,07% CAGR (compound annual growth rate) of network traffic analytics. The growth is directly proportional to the acclivity in network traffic malware (e.g. Denial of Service, DNS hijacking, DNS poisoning, etc.).
This forecast was computed over a 10-year timeframe and will, undoubtedly, change, as new ‘players’ step up to the plate; and they’re not far behind. Netwalker, the latest in RaaS (Ransomware-as-a-Service), has already started to assert itself – this can only spell disaster for the corporate sector. This ominous ‘net stomper’ is has racked up over $25 million (and still counting).
Is Intrusion Prevention System the golden ticket to a RaaS-free online environment? I’m somewhat reluctant to abide by this statement; game-changer is a better word to describe the wonderous, new Intrusion Prevention System – actually, not a novelty, still a better choice than leaving your network unguarded. Now, ad-libs aside, let’s talk about IPS.
Deconstructing (an) Intrusion Prevention System
Fact: there are no IPS without IDS (Intrusion Detection System). IDS is IPS’s yang, as IPS is IDS’ yin. Poetics aside, IDS is a device or even a piece of software that actively monitors a system or network for signs of policy violations or – relevant to this article – malicious activity. The data collected by an IDS can be fed to a SIEM (Security Information and Event Management System).
SIEMs are the proverbial steam engine of the entire network security effort – info gathered at SIEM level be used to create actionable reports, reinforce network security, identify (security) gaps, minimize damage, and, if applicable, determine the best course of action to root out malware that may have ‘burrowed’ into your endpoints. IPSs are sometimes confused with firewalls since both have something to do with network security. Of course, it goes without saying that the two of them different, the major distinction between the two being the IPS’ ability to detect both outside and inside threats.
Anyway, on the topic of IDSs, they can be classified according to the detection methods. I’m just going to lay them out here, as they are:
- NIDS (Network Intrusion Detection Systems) – ‘sniffers’ placed at key points to monitor the incoming and ongoing network traffic. NIDS can operate in online and offline mode (inline vs. tap). On a tech level, NIDS inspects Ethernet packs. If any of them exhibit anomalous activity, it is capable of enforcing rules. Neural networks are often employed to enhance NIDS detection capabilities.
- HIDS (Host Intrusion Prevention Systems) – can monitor devices or hosts on the networks. Such systems are used to analyze outbound and inbound packets from the targeted device. If an anomaly is detected, the administrator will be notified.
- Signature-based IDS – detection method based on malicious patterns. The terminology (malicious patterns ‘dictionary’ and definitions) originates from antivirus.
- Anomaly-based IDS – this detection method relies on comparing newly-identified – and possibly malicious- behavioral patterns against a database of ‘normal’ network activity. Tiny fun fact: Gartner has chartered a new type of anomaly-based IDS framework called UEBA (User and Entity Behavior Analytics).
So, we’ve pretty much covered IDS (promise I’ll return with a full-length article on the topic). Let’s now talk about Intrusion Prevention System(s).
The research paper entitled “Improving network intrusion detection system performance through the quality of service configuration and parallel technology” (Waleed Bul’ajoul, Anne James, and Mandeep Pannu), talks about the indistinctiveness between IPS and IDS. More specifically, the authors defined a network monitoring and protection framework called IDPs. So, what are these IDPs? According to the above-mentioned paper, the definition of IDPs is as follows:
IDPS technologies detect and react to unauthorized (sic!) access to network systems, providing real-time monitoring of network traffic. IDPs can be software- or hardware-based or can be a combination of both. Hardware-based IDPs are effective for large organizations (sic!) and companies but are very expensive.
However, software-based IDPSs running on the same devices or servers can identify and deal with attacks generated from inside or from outside the network, and can also protect the security policies of that network and their internal threats. Deploying a firewall with an IDPS is a useful way to provide extra security and thus strengthen the network.”
From this definition, we can infer the following:
- IDS and IPS work in tandem; to detect is to prevent is to detect.
- IPSs can be hardware- or software-based. A honeypot is a great example of a hardware-based IPS (and IDS), however, such a system can be hard and costly to maintain. On the other hand, honeypots reign supreme over network traffic analysis.
- IDPs are designed to detect and deal with external, as well as internal threats.
- Firewalls are neither IDS nor IPS, though they share some technical similarities. In practice, firewalls are being added to IPDS to enhance network security.
IPS and IDS in a nutshell (for example purposes only; may be subjected to change):
Intrusion Detection System
The attacker → Internet → Firewall → Switch (IDS + Management System) → Network → Web Server + Email Server.
Intrusion Prevention System
The attacker → Internet → Firewall → IPS → Switch +Management System → Corporate Network → Web Server + Email Server.
As you can see from the above figure, the Intrusion Prevention System, whether it’s hardware- or software-based is placed, very much like a barrier (or gatekeeper), between the corporate gateway (which in this case is a switch) and the wilderness (Internet). Oversimplifying things, whenever the ‘gatekeeper’ picks up anomalous readings, it will react accordingly (enforcing the necessary policies to deny access to critical hosts and\or devices).
Now, the main role of any reputable Intrusion Prevention System is to monitor network activity. This involves logging, reporting, identifying the malicious activity, and, attempting to block this type of activity.
Similar to IDS, Intrusion Prevention Systems can be classified, based on type and detection method. The four IPS types are:
- NIPS (Network-based intrusion prevention system).
- WIPS (Wireless intrusion prevention system).
- NBA (Network behavior analysis).
- HIPS (Host-based intrusion prevention system).
NIPS inspects the corporate network at the protocol level. Suspicious activity can be further analyzed to establish the attack’s (approximate) origin and the content of the malicious packets. In preventing and mitigating malicious activity, the NIPS engine can perform various actions. For instance, NIPS can reconfigure the firewall to prevent future encounters with malicious packets. That’s just one of the ways HIPS can help you get rid of unwanted content. There are plenty more where that came from – and yes, I’m thinking about doing an in-depth article on NIPS.
Moving on, WIPS, which is the wireless or wire-free counterpart of NIPS – on the level, WIPS is the logical step one should take if the corporate network incorporates wireless devices and BYODs. Functionality-wise, WIPS shares a lot of similarities with NIPS; both monitor network traffic by analyzing the comm protocol activity and can reconfigure the firewall in case of suspicious activity.
The major difference between the two is that WIPS monitors wireless communications protocols (i.e. Bluetooth, Infrared, Z-Wave, NFC, Wi-Fi, 4G, 5G, LTE Cat, etc.), while NIPS keeps an eye on ‘landlubbing’ communication protocols such as Ethernet, Local Talk, ATM, FDDI, Fast Ethernet, and so on.
NBA (not to be confused with NBL) is a tolerance-based analysis technique capable of enhancing your network security. In essence, a network behavior analysis aggregates various trends (i.e. protocols usage, bandwidth usage, etc.) and computes the deviation from standard ops. Anything flagged as suspicious is immediately sent to the SIEM for further analysis. NBA’s major advantage is its ability to pick up zero-day exploits or new malware variants.
HIPS is a very surgical approach to IPDS. Whereas NBA, WIPS, and NIPS monitor activity at the network level, a Host-based intrusion prevention system observes (and protects) a single host. As you might imagine, HIPS has a low scalability factor (costs and maintenance), but it maxes out on protection – very effective if you want to safe proof a host that contains valuable info.
Intrusion Prevention Systems employ various detection methods – no prevention without detection. Although each vendor pads its IPS with a ‘home-made’ detection method, all of them build upon the following detection methods:
- Signature-based detection = network packets are compared to pre-built attack profiles.
- Anomaly-based detection (statistical approach) = network events are compared against a baseline. Various parameters are under scrutiny (i.e. bandwidth usage and network packets volume). If there’s a deviation from normal behavior, an alarm is triggered. Anomaly-based detection grids are great at picking up zero-day malware, but can produce a lot of false-positives if it’s not configures properly.
- Stateful protocol detection = somewhat similar to the statistical anomaly-based detection method. Protocol activity is profiled beforehand in order to create a baseline. After that, the activity is compared to the baseline values.
Towards a cost-effective Intrusion Prevention System
IPS sounds pretty awesome, but what about the price tag? How much would it cost, let’s say, a small business, to set up an Intrusion Prevention System? You ready? $161,000 per device per year! Yes, you read that right – it costs over 100k to keep an IPS up and running.
But that’s not all; the above-mentioned sum is compounded by other expenses. In the paper “Cost-effective management frameworks for intrusion detection systems”¹, the authors reveal that an IDPS can incur additional cost if we were to factor in additional network security countermeasures such as NIDS or HIP. Furthermore, the same paper mentions that you will need an additional $100k per year for your system administrator or the person in charge of IDS or IPS maintenance.
That’s a lot of money and, no doubt, such a system might not be feasible for start-ups or business trying to stay afloat, especially during these trying times. So, what can we do to bring down those costs without sacrificing security? The solution is to deploy a one-stop, all-inclusive cybersecurity solution that has the same functionality as a full-fledged IDPS.
Introducing Heimdal™ Threat Prevention Network, a perimeter intrusion prevention solution that can detect and eliminate zero-day and second-generation malware. With Heimdal™ Threat Prevention Network, you will also gain MDM capabilities. Reporting and SIEM options are available through Infinity Management, our web-based dashboard.
Intrusion Prevention Systems are the next step in network protection. However, it’s still regarded as some sort of an addition, just like malware analysis/forensics. What’s your take on IPS? Hit the comments section and let me know.