Understanding Intrusion Detection and Prevention Systems (IDS/IPS)

Regarding network security, firewalls and zoning are a strong start. They implement the medieval castle walls paradigm: keep out the intruders and, if someone gets in, make sure additional walls limit the ability of attackers to move around. Just like fortified cities need guards on the lookout,?modern networks need Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) to detect and respond to threats and attackers when they somehow manage to break into the network.

IDS versus IPS

Both,?IDS and IPS, rely on sensors that monitor network traffic, individual host systems, or both. Host-based systems are typically more challenging to set up and maintain due to the necessity of software agents required on each device. On the plus side, they get richer insights into potential attacks since they monitor what happens on the system. In contrast, network-based systems are quicker to deploy, though, due to their focus on network traffic, identifying sophisticated attacks can sometimes be more challenging for them.

IDS and IPS solutions actively monitor traffic and system activities. While an IDS (Intrusion Detection System) only alerts security teams to potential threats, an IPS (Intrusion Prevention System, also named IDPS for intrusion detection and prevention) can automatically block suspicious activities in real-time. While both are deployed behind the company firewall, the architectural patterns differ. An IDS can work on copies of the network data stream and analyze this data at its own pace. In contrast, an IPS must be in-line with the network traffic, intercepting and analyzing it in real-time and blocking it if needed. The performance requirements are much higher. Still, ?one should not assume that they stop the overall attack; an IPS blocks specific small attacks, giving the security specialists more time to react and trying to?prevent the attackers from spreading further.

Detection Techniques

IDS and IPS use several methods to detect intrusions and intrusion attempts. The main techniques are:

Signature Matching looks for known attack patterns within network data. It is a reliable and efficient technique.

Anomaly Detection identifies unusual behavior for which various approaches exist:

• Protocol analysis looks for network traffic that does not adhere to protocol standards. This is an indicator of specific types of attacks on the network.

• Statistical analysis establishes a baseline for?characterizing behavior in the past. Large deviations may indicate an attack. Following the BSI, such approaches are typical additional activities a security organization can perform, which require specialists with experience and intuition to identify potential attacks.
• AI-based detection: tries to replace human intuition with AI to flag suspicious behavior. Security service providers (and cloud vendors) praise their AI capabilities, while the BSI seems more reluctant to see it as an approach working out of the box.
• Honeypots are systems set up and installed as bait for attackers. When accessed, they trigger an alert. The BSI sees honeypots more as something for security service providers who have to analyze attacks and maybe large organizations.
• Event correlation analyzes events and patterns over time or across sources, thereby helping to reveal more complex threats and subtle attacks. However, most organizations implement this capability in their Security Information and Event Management (SIEM) tools, which can combine more systems and log information than an IDPS.

Current Trends & Cloud Platform Services

Many organizations are shifting away from best-of-breed security architectures with multiple standalone security tools and aim to consolidate to only one or very few comprehensive security solutions. This evolution led to integrating IDS and/or IPS capabilities, e.g., into Unified Threat Management (UTM) solutions and Next-Generation Firewalls (NGFW).

Cloud providers also incorporate these capabilities into their service offerings. Google Cloud offers Cloud IDS, an IDS service for monitoring the network and detecting (not preventing) attacks. This GCP service builds on a Palo Alto solution that?inspects incoming and outgoing traffic?mirrored into a Google-managed network.

Amazon Web Services (AWS) has GuardDuty, a security monitoring and threat detection service. This service primarily follows a host-based approach or, more precisely, a workload-centric approach comprising serverless and containerized workloads. Its pure network-related capabilities are limited. AWS encourages its customers to explore additional marketplace solutions for enhanced security.

Microsoft Azure actively promotes its IDS/IPS features as part of the Premium edition of Azure Firewall, probably reflecting their growth strategy in the security market. Their solution provides signature-based intrusion detection and prevention capabilities.

The takeaway? While cloud platforms offer IDS and IPS features, many focus more on host-level security than network-level monitoring. Larger organizations might consider continuing to architect and implement their tailored solutions with specialized 3rd party solutions rather than relying on?cloud providers, for which this might be more of?a niche topic.

? Sources (all information retrieved Oct 15th, 2024):

• BSI-Leitfaden zur Einführung von Intrusion-Detection-Systemen, https://www.bsi.bund.de/dok/6624202
• Zscaler Intrusion Prevention (Whitepaper) https://www.zscaler.com/resources/white-papers/intrusion-prevention.pdf
• Cloud IDS Overview, https://cloud.google.com/intrusion-detection-system/docs/overview
• Amazon GuardDuty, https://aws.amazon.com/de/guardduty/,
• Intrusion Detection & Prevention Systems, https://aws.amazon.com/de/mp/scenarios/security/ids/
• Azure Firewall, https://learn.microsoft.com/en-us/azure/firewall/premium-features,

?