Intrusion Detection Systems

In order to be able to continue my discussion about Firewalls Evolution, I have to take you today to a different subject. As I said before, "Firewall is a device that divides the network into different Zones, and controls Who's is supposed to talk to Who, using which Applications (Service), across those different Zones". But once Client (C) is allowed to talk to Server (S) using Application (A), he is then allowed to send whatever traffic he wants to that Application.

What's the difference between a Firewall and an IDS?
Let's say that Application A is Vulnerable to XSS (Cross Site Scripting), i.e. it has a bug, and Attackers can send Malicious Traffic to this Application that can harm that Server or those people who deal with it taking advantage of this bug. A Firewall can only block people from accessing this Application or permit them, but it can never know if this traffic is Malicious or not. A Firewall is only capable of inspection up to layer 4 (The Transport Layer), hence another solution is needed in order to inspect traffic up to layer 7 (The Application Layer). This solution is called an IDS or Intrusion Detection System.

How does an IDS work?
But what kind of magic does IDS's do in order to detect those attacks. We are now in the application layer and there is no 5-tuple to inspect anymore, so IDS's use various techniques to detect attacks. Let's go back to our XSS example.

Imagine a web forum where different users can post articles and comments etc. So an attacker can forge his post to contain some HTML tags or JavaScript in stead of clear text. So the result will be the execution of that HTML tags or JavaScript in the other forum visitors' browsers.
Gr33n Data: Cross Site Scripting - XSS

So a simple IDS can look for a certain pattern - here it will be an HTML Tag - in the traffic sent from the Client to the Web Server. The HTML Code is normally sent from the Server to the Client and not in the other direction. This kind of Intrusion Detection Technique is called Signature Based Detection. Another Technique used by IDS's is Behavior Based Analysis or Traffic/Protocol Anomaly Detection. When someone's PC is infected by a worm, it normally tries to connect to hundreds or even thousands of other PC's in order to try to infect them. This is how worms normally propagate and this is what differentiate worms from viruses. So an IDS that is able to detect Traffic Anomalies will know that a certain PC is infected by a worm when it starts sending traffic to a large number of PC's in a short period.

By they way, the Antiviruses you use on your PC use similar techniques to detect malwares. And you know what, the Antivirus updates you download every now and then are files containing those signatures used by it in the Signature Based Detection. And yes, an IDS needs tp get periodic updates too, just like Antiviruses.

The Signature Based Detection is more accurate than Behavior Analysis in detecting Attacks, but Signature Based Detection can detect Known Attacks only while Behavior Analysis can detect both Known and Unknown Attacks, which are sometimes called Zero-Day Attacks. That's why Intrusion Detection Systems depend on both techniques together and sometimes they implement more proprietary techniques.

Accuracy, what do I mean by accuracy?
When there is an Attack and the IDS doesn't detect it, they call this False Negative, and on the other hand when there is no Attack and the IDS thinks that there is one, they call it False Positive. A good IDS is the one that tries to minimize both False Negatives and False Positives.

IDS is dead, long live the IPS
IDS is more complicated than a Firewall, it needs more processing and analysis that may impose some delays. It's also not accurate. That's why people preferred not to deploy them inline. The traffic doesn't pass by them, they just see a copy of it, and they do not take actions to block or permit traffic, they are just passive devices that fire an alarm whenever they detect an attack.

And that's why a few years ago a new technology was born, an IPS is just an IDS but it is deployed inline and capable of tacking the decision to block or permit traffic. By doing so IPS vendors were forced to increase their products accuracy as well as processing power.

IPS Vendors
Now a days that top players in the IPS field are Tipping Point (3Com), IntruShield (McAfee), NetScreen IDP (Juniper), and ISS Proventia (IBM). Cisco also have their own *quote* IPS *quote*. And if you are an Open Source fan, you can try Snort, these guys have good documentations and papers here.

Tags: IPS, Attacks, Gr33n Data