If you think you don’t need an Intrusion Detection Systems
(IDS) or Intrusion Prevention Systems (IPS) because you have a firewall, think
again. The purpose of a firewall is to block access to specific ports. A pure
firewall has no way of detecting whether traffic to a particular port is
legitimate or part of an intrusion attempt.

For example, if you allow incoming traffic access to port 80
so those outside the local network can connect to your Web server, an attacker
can use port 80 to attack the Web server. An IDS can
distinguish between the legitimate connections to your Web server and the
attempted attack by comparing the signature of the traffic to a database of
known attack signatures.

Tips in your inbox

TechRepublic’s free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.

Automatically sign up today!

But if you’re considering adding an IDS/IPS, choosing the
right one can be quite a task. There are many IDS/IPS solutions on the market,
ranging from simple and free to complex and expensive. And if you’re expecting
your business and network to grow over the next few years, you want to select a
product that will continue to work for you as it grows. Let’s look at some factors
that affect the scalability of an IDS/IPS solution.

IDS vs. IPS

First, you need to decide whether you want and need an
Intrusion Prevention System or just
an Intrusion Detection System. What’s
the difference? An IDS, as its name implies, detects
that an intrusion is occurring and can usually send you an alert to notify you.
What you do about it is up to you. An IPS is configured to respond to an
attempted intrusion without your intervention. For example, if it detects a
suspected intrusion, it can automatically shut down the port that’s involved,
or block all subsequent traffic from the suspect IP address.

The IPS provides for a faster reaction and thus less
likelihood of damage occurring due to the intrusion. On the other hand, it can
also result in disruption of legitimate network traffic in response to a “false
alarm.”

Open source vs. commercial

One decision you’ll be faced with is whether to implement an
open source freeware IDS/IPS or buy a commercial solution. The obvious
advantage of the former choice is monetary. If your business is small and the
budget is tight, you might not be able to afford the best commercial IDS/IPS
products. In that case, your most cost effective solution might be to use a
freeware solution now and move up to a commercial solution later, as the
business and your revenues grow.

One of the most popular open source IDS/IPS options is Snort from Sourcefire.
It has a large base of community support. It can do real-time traffic analysis
and logging and will detect many different types of attacks, including stealth
port scans, CGI attacks, OS fingerprinting, SMB probes and others. You can
extend its detection capabilities through the use of
plug-ins. Snort’s code is also used in some commercial IDS appliances.
Snort was originally developed for UNIX/Linux but has been ported to Windows.

Tip

If you decide to use Snort, be sure to install version
2.4.3. or later, which fixes a security vulnerability
recently reported in previous versions. See http://www.techweb.com/wire/security/172302456
for more information.

Although it is a full fledged IDS/IPS, Snort is often
referred to as a “lightweight” IDS/IPS. When you’re ready to move up to a more
sophisticated and robust solution, there is an abundance of commercial products
available. Some of the most popular include:

ul type=disc>

  • Internet
    Security Systems (ISS) RealSecure Network
  • NFR Sentivist IDS and IPS appliances
  • McAfee’s
    Entercept
  • GFI LANGuard S.E.L.M.
  • Cisco Secure
    IDS appliance

    • Some scalability-specific questions you’ll want to ask
    before purchasing a commercial IDS product include:

    • Is the
      product extensible? Can you add modules for management, reporting, etc.
      that may be required as the network grows?
    • For
      network-based IDS/IPS, are there limitations on the number of machines
      that can be protected?
    • Do you
      have to purchase additional licenses if you add machines to the network?
    • Does
      it work with switched LANs?

    Host-based vs. network

    IDS/IPS solutions are often divided into two categories:
    host-based (HIDS) and network-based (NIDS) systems. There are advantages and
    disadvantages to both. A host-based system is installed on and protects a
    single machine. Host-based products are usually more platform-specific (that
    is, they’re made to run on a particular operating system). Network-based
    products can protect computers on the network that run different operating
    systems.

    A network-based IDS usually needs
    to be installed on a system with a network interface that runs in promiscuous
    mode, so it can capture packets that travel on the network which don’t
    originate with or have a destination of the local machine on which the IDS is
    installed.

    A host-based IDS (or agent software) must be installed on
    every individual computer that you want to protect. Host-based solutions tend
    to be superior at detecting attacks that originate on the local network
    (insider attacks); both types of IDS are good at detecting attacks from outside
    the local network.

    Tripwire, which runs on Linux and is included in the Red Hat
    Linux package, is a popular host-based IDS. Snort,
    discussed earlier, is a network IDS.

    It is entirely possible, and often desirable, to combine
    network-based and host-based IDS products as part of a multi-layered approach
    to intrusion detection and prevention.

    As part of your scalable IDS plan, you may want to implement
    one type first and add the other later. If the budget is a big issue, you may
    want to deploy the network-based IDS first and add the host-based IDS when you
    can afford it. If security takes top priority, you may prefer to install the
    host-based IDS first since blocking intrusions at the workstation or server can
    provide more effective containment.

    Managed intrusion detection service

    We’re hearing more and more about managed services, so it
    should come as no surprise that companies are now offering managed intrusion
    detection services. ISS, in addition to making the RealSecure
    Network software for appliances, offers a managed
    IDS/IPS service    .

    A managed service can be a very scalable solution, since you
    don’t make an investment in hardware or software that you’ll later outgrow and
    most service companies can easily handle the greater load as your business
    grows.