Intrusion Detection Systems: Behind the Firewall

Reading Time: 4 minutes

What is an Intrusion Detection System? 

An intrusion detection system (or IDS) is a hardware device or software program that observers a network or system for security policy violations or malicious activity. Typically, any activity or intrusion violation is reported to either an administrator or is collected and logged in a central location using a security information and event management system (or SIEM) system. This system is a security-based technology developed initially for detecting exploits and vulnerabilities used against a computer or other target applications.

IDS systems are usually a passive system that monitors and reports issues that need to be investigated. This product differs from an Intrusion Prevention System (or IPS) in the sense that an IPS assumes an active role by monitoring and defending the system against threats. If a prospective danger is seen, the IPS quickly takes action to prevent any detected exploits from occupying and seizing the system. 

Types of Intrusion Detection Systems

There are two main types of intrusion detection systems: 

  • Network intrusion detection systems (or NIDS): This system analyzes and reports on incoming network traffic. 
  • Host-based intrusion detection systems (or HIDS): This system monitors and documents any changes to the critical operating system files on a server.

Additionally, we can break IDS down into a further sub-type: signature detection and anomaly detection.

  • Signature detection-based systems use a specific pattern to detect threats. This term originated from the description used by antivirus software, where definitions refer to a detected pattern as a signature. Although these signature-based IDS can detect a known attack vector, they cannot identify a new attack type where no signature pattern or characteristic is available.
  • Anomaly-based systems implement a newer technological model that is designed to better adapt and defend against unknown attacks. This improved approach is primarily due to the detection method used. In this process, machine learning is used to create a pre-defined trust model based on a previously established healthy activity. This framework then compares any new behavior against the established trust model to define any unusual activity. This approach can detect unknown attack vectors but suffers from false positives if a previously unknown or undetected activity is accidentally classified as malicious.
  • Hybrid Detection based systems use both signature-based and anomaly-based diagnostic for discovery. This enables the system to better detect potential attack vectors, with a lower overall error rate than using each system separately.

Where are IDS Located?

Usually, an IDS is placed directly behind the firewall and before a router to maximize its effectiveness. In larger environments, IDS are placed at various network topology points to increase efficacy and security. These points are typically at the intersection of major subsidiary junctures or large departmental divisions that need their own granular security level. 

Firewall vs. IDS

An IDS is different from a firewall because it looks internally for threats as opposed to a firewall, which looks externally for risks to stop them from happening. An IDS is a passive system that searches internal traffic and reports potential threats. It does not affect network performance because it operates outside of the flow of network traffic. Some believe that an IDS is on par with a firewall and opts to use one or the other. In reality, an IDS should be an extension of the firewall, not a replacement for it. 

Benefits of Intrusion Detection Systems

  • An IDS is used to analyze the types and quantity of attack vectors. Corporations use this information to modify and update security policies and systems to implement more effective network security measures. 
  • IDS also aid in identify bugs or network device configuration issues. Users can also apply these metrics to assess future exposure. Detecting these problems in advance also saves money by preventing downtime, data loss, and other business-related setbacks.
  • Using an IDS also helps in attaining regulatory compliance. This allows businesses increased network visibility ensuring security regulations are met and exceeded. Additionally, IDS log documentation shows compliance requirements are being met.
  • IDS improve the security team’s response by collecting and interpreting inspected data from within the network packets. This, along with its ability to detect network hosts and devices, help to identify weaknesses in the operating system’s services being used.

Drawbacks of Intrusion Detection Systems

  • An increased rate of false positives usually accompanies the introduction of an intrusion detection system. This can lead to an increase in the number of incidents that need to be investigated, possibly overloading technical personnel resources. This hindrance diminishes over time as security personnel work with the system. They identify and allow for or eliminate these false positives.
  • A more problematic issue is a false negative. This happens when a critical flaw is allowed to pass unobstructed into the network. This problem occurs when the system is misconfigured or when a ruleset has not been updated or applied. The other fear is that an undocumented or “0day” exploit is used to access the network. The only way a researcher can see this is to document an example in the wild.
  • Another concern is the IDS itself being targeted as an attack vector. If an IDS is known to exist within a network, it can be targeted employing a DDOS attack. If used in this manner, a DDOS could, in essence, overload the system rendering it ineffective. While IDS exist to notify us of problems, detection is not prevention. Users must take positive action to address the issues noted by the system. Without this step, an IDS becomes a costly logging operation. This concern also extends to having the trained professionals on staff who know how to address these challenges.
  • Lastly, the cost is always a factor. The total cost of ownership that comes into play here can be a drawback in large, regionally diverse networks. IDS software can range from free (open-source) to large hardware devices, with costs running into the hundreds of thousands of dollars. Also, implementation, configuration, ongoing maintenance, and staffing come into play as well. 

Alternatives

Unified Threat Management (or UTM) is a new strategy in information security where a single hardware/software product is incorporated to blanket multiple security-related functions into a single platform. This is in contrast with the conventional method of having various single end-point solutions for every security task. These systems enable businesses to simultaneously implement a full range of offerings into their overall security infrastructure. The features can include an IDS, IPS, Firewall, Antivirus, Web proxy, VPN, DDoS protection, email filtering, packet inspection, data loss prevention, and other SIEM-related deliverables. The downside to this approach is it introduces a single point of failure into the system. 

Conclusion 

For those looking for a reliable security platform for their dedicated server infrastructure, Liquid Web provides a well-rounded security product portfolio. From our Managed VPN, ServerSecurePlus offering, DDoS packages, SSL options, Web Application Protection (WAP) solution (consisting of the CloudFlare® Web Application Firewall and Malware Cleanup/Remediation service), Compliance service (comprised of PCI Scanning, Vulnerability Assessment & Scanning), HITECH Certified HIPAA Servers, and our newest product Alert Logic Security & Compliance Suite. For more information about this service, prospective clients can find a comprehensive datasheet on our website. Find out why over 45,000 customers put their trust in Liquid Web for their online stores, applications, and mission-critical websites today.

We pride ourselves on being The Most Helpful Humans In Hosting™! Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article. Should you have any questions regarding this information, we will always answer any inquiries with issues related to this article, 24 hours a day, 7 days a week, 365 days a year.

If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner, and have further questions about SIEM or other security-related topics, clients can reach us via phone at 800.580.4985, via a chat or support ticket to assist you with this process.

Author Bio

About the Author: David Singer

I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....

Refer a friend and get hosting credit!