Beyond the firewall: Intrusion Detection Systems

Firewalls are so 2000s. With your "office" now scattered over homes everywhere, you need a new way of protecting your office from network threats and that's IDSs.

radar grid overlays the pupil of an eye / intrusion detection / scanning / threat assessment
ddukang / Getty Images

It used to be so easy. Everything "inside" your firewall was safe and everything "outside" was dangerous. Alas, computer network security was never really that simple. Today, however, with our employees in hundreds and thousands of small--read home--offices, it's harder than ever. Fortunately, there's another approach that can work well for today's workforce: Intrusion Detection Systems (IDS).

Unlike a firewall, which typically tries to block certain kinds of internet traffic from your computers, an IDS doesn't stop traffic but keeps an eye on what's coming in and going out. I think of a firewall as a door between your house and street, while an IDS is a security camera watching the door.

You still need both—many simple attacks still rely on someone being foolish enough to not bother with a firewall—but IDS, and its kissing cousin Intrusion Prevention Systems (IPS), are more important than ever.

So, what are these anyway? Let me tell you.

The ABCs of IDS

First, an IDS is a software application or hardware appliance that monitors network traffic. It's constantly looking for suspicious activity and known threats. When it finds one, it sends the administrator a red alert that's trouble on the way. It may also log the potential attack to a security information and event management (SIEM) system. The IPS, as you'd guess, automatically blocks such possible attacks.

These come in two varieties. The first, network-based intrusion detection systems (NIDS), live on the network. Specifically, they watch incoming and outgoing network traffic. In short, they're built on top of network sniffers, such as Wireshark. Usually, NIDSs are installed in a demilitarized zone (DMZ). A DMZ is a physical or logical subnetwork, which connects your external-facing network services, such as an e-mail or webserver to an untrusted network such as the internet.

Host-based IDSs are installed on devices within the local area network. These can live in PCs and servers, but they can also be stand-alone devices.

While both are IDSs, they're not the same. A NIDS looks for known attack signatures in your traffic or suspicious deviations from normal network activity. Once spotted, the news is pushed up to someone—or some system—can deal with them.

HIDS, on the other hand, takes a snapshot of your existing system files. That done, it then compares them with earlier snapshots. The name of the HIDS game is to look for unexpected and unauthorized changes.  This can include overwriting, deleting, or adding files and changing system settings.

Ideally, you want to use both. HIDS can protect you against potential insider threats—even if it is just Junior installing Fortnite on mom's work computer. NIDS, in the meantime, can keep an eye on what's going on within the network proper. For example, a vast increase in traffic from, yes, Junior playing Fortnite. It will also detect attacks and anomalies.

In both cases, here are the wins for you:

  • By monitoring your firewall, routers, servers, switches, and desktops with an attack signature database, you can be alerted to breaches before—we hope—too much trouble has come your way.
  • By using the signature database, IDSs can also spot known anomalies—once again Junior with Fortnite, with a low risk of raising false alarms. In this case, for example, the chief information security officer (CISO) hardily needs to be alerted.
  • By analyzing the different types of attacks, IDSs can also identify attack patterns. Armed with this your administrators can build up your defenses appropriately.
  • Finally, IDSs help you maintain regulatory compliance regulations—for example, HIPPA in the States and GDPR in the EU—and your security standards.

IPSs, as you'd guess, do all the above and then take automated action against the threat of the day. But, you need to be wary of giving an IPS too much power.

When an IDS reports a false positive, it's not normally a big deal. But, when an IPS detects what it thinks is malicious activity, that same false positive can block legitimate network traffic, stop a server in its tracks, or lock down a subnet. That's great when an IPS is stopping a real problem, but pure misery when it gets in the way of real work.

On the other hand, you don't want the IPS to miss a phishing attack, which starts a ransomware download. It's a delicate balance.

Indeed, one of the major problems with IDSs and IPSs is you need smart security administrators. There is no one-size-fits-all IDS.

Savvy security administrators are hard to find. But, artificial intelligence (AI) and machine learning (ML) may be coming to the rescue here. Serious academic work is being done to make ML work well with IDSs. In particular, proposed deep learning models are outperforming today's existing ML shallow models.

This isn't just ivory-tower theory. Carnegie Mellon University’s CyLab has just shown off the fastest open-source IDS. It's humorously named Pigasus using Field Programmable Gate Arrays (FPGA) has achieved network scanning speeds of 100 gigabits per second.

In the best of all possible worlds, you'll use both a well-managed IDS and IPS. Thanks to recent advances, personal expertise may not be the bottle-neck it's been before. 

Network security in the days of Covid

There are numerous excellent IDSs and IPSs available today. But, before you go out and buy one, you need to know a lot of things. First, they come in a wide variety of forms. Some, even if they're from the same line, such as Cisco's Next Generation Intrusion Prevention System (NGIPS), come as both an appliance or as a VMware instance.

Buying them isn't that easy either. Some are standalone products or services, while others are part of a broader product line. Like most enterprise software programs, they also almost never have simple pricing. They usually come in a wide variety of features, performance, and pricing tiers. You may also have to buy it, not from the vendor, but from a Value-Added Reseller (VAR) or Managed Service Provider (MSP)

Finally, and this is important, many older models won't work well when your office is no longer at the corner of Main and High Street, but in dozens to thousands of individual home offices. Clearly, for example, you're not going to place an appliance in all those offices. What you need in 2020 and beyond is a network or cloud-based security service.

The security companies know this. Global Industry Analysts predict that the cloud IDS market will jump from $690.4-million to 2.6 billion in 2027. That's an impressive Compound annual growth rate (CAGR) of 20.8%. One of the major drivers? The switch to working from home.

Other analyst groups, such as Advance Market Analytics, have taken to covering the cloud IDS market because of its rapid growth. Of course, it's not just the Covid economy, which is driving this. The need to protect IT infrastructure—at home and at the data center—from data breaches and network attacks is ever-growing. And, all the usual reasons people turn to the cloud—flexibility, cost savings, and improved security, also play a role.

Your UTM choices

Before you buy into any of these, I cannot recommend highly enough that you must kick their tires. Their features sets vary wildly. Before committing yourself to any of them, you must make sure it works well for your new IT security needs.

First up, there are the open-source programs. I use these myself and they work quite well. If—and it's a big if—you know what you're doing. If you don't have anyone on staff who already know these programs, these are not for you.

Snort is the oldest open-source NIDS project. The name springs from its beginning as a packet sniffer. These days, however, it's a network-based IDS. It works by using customizable rules to look for the baddies in your network packets. It uses both signature- and anomaly-based detection methods.

You don't have to pay a dime to use it, of its continuously updated ruleset. If you want to be safer—and trust me, these days you do, you should get a paid rules subscription. These are updated 30 days ahead of the community ruleset. At $29.99 per year for individuals and $399 per year per sensor for businesses, you can't beat the price. And, if someone in the IT department still has antediluvian ideas about open-source software being made by kids in their basement, let them know Cisco is its main maintainer and it's used in NGIPS.

That takes care of the network side, but to protect your PCs, you can turn to another open-source project: OSSEC. You can run this host-based IDS on Linux and Unix servers or from cloud instances. It tracks what's what on Linux, macOS, and Windows PCs. It tracks activity, such as file changes and Windows registry files, in real-time. OSSEC is usually used as an IDS, but it can also guard your system as an IPS.

The cost? Zero. But again, you need to know what you're doing to make the most of it. Atomicorp offers a commercial version, which includes a dedicated management console, ready-to-run rules, and reporting. Unless you're already an expert, I recommend subscribing to Atomicorp's offering.

Another brand new, albeit proprietary network IDS, which looks promising, is Cloudflare Intrusion Detection System (IDS). Cloudflare, best known as a leading content delivery network (CDN), is offering a service to monitor not just your outward-facing Internet traffic, but your internal network traffic as well. It does this by both looking at your normal traffic behavior and by deep packet inspection. This project is still in beta, but you should follow.

FireEye's Network Security and Forensics includes an IPS as part of its protection. While it's available as an appliance, these days you really want to run it as a cloud-based virtual appliance. Its big selling point is instead of relying primarily on attack signatures, it uses its Multi-Vector Virtual Execution (MVX) Virtual Machine (VM). MVX works by running suspicious content in a VM. So, for example, when some nogoodnik tries to pass malware to one of your people in an e-mail attachment, MVX first opens it in its secured VM. It will then block the attachment from being delivered.

Trend Micro TippingPoint is an IPS program, which you can run in a virtual appliance. It combines threat signatures from Trend Micro and the Zero Day Initiative. TippingPoint also uses ML to spot zero-day attacks. Besides protecting your network, you can also use it on your public or private clouds. It can also, needless-to-say, be integrated into Trend Micro's other security offerings.

Finally, here are two IPS programs, which are fully embracing new models.

ZScalar Cloud IPS is a pure cloud play. This Software-as-a-Service (SaaS) program is designed to defend users over servers. They argue that thanks to remote workers and our reliance on the cloud, traditional IPSs are blind to the real threats targeting your users. It's an interesting idea, and I can make the arguments for it. I'd certainly put them on my "to check" list while looking for a work from home friendly security solution.

In another approach, Vectra Cognito is all about AI and ML. Vectra argues that a combination of poor security training, legacy security technologies, and fundamental misunderstanding about where and what they should be protecting leaves companies open to attack. Their methodology, the company claims, is much better at dealing with today's security dangers. They've got a point.

There are many other programs. There is no market leader here. But, one thing is clear to me. You need to use these programs and adapt them to your new "working at home" workforce. If you don't, before the pandemic is over, you may lose your business to a preventable hacking attack.

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)