March 7, 2019
Intrusion Detection and Prevention Systems: Are they really working? – WST
Let’s face it, if you have a public IP you’re going to get some type of illegitimate access attempt directed at your network at some point. Probably multiple times per day. Just look at your firewall logs and alerts sometime. If you are not, you should be; daily.
If you don’t have one or are not familiar with the concept, an Intrusion Detection and Prevention System (IDS/IPS) will actively detect and prevent malicious or unwanted attempts at access. Your IDS/IPS can be deployed as local software, appliances, Software as a Service (SaaS) solutions (or a hybrid), or potentially as separate systems – detection (IDS) and prevention (IPS) in separate parts. The usual deployment; however, is an IDS/IPS that that prevents as it detects. These systems perform their tasks based on definitions and/or heuristic techniques and may be monitored by a third-party Security Operations Center that can alert you and/or act on your behalf.
If you don’t have IDS/IPS, you might be saying, “Isn’t my firewall good enough?” Well, a stateful inspection firewall is an absolute must. But even though you might have integrated inspection enabled, your firewall only passively stops what was defined in the last firewall OS release; and what you tell it to through Access Control Lists associated with zones or interfaces. That’s where IDS/IPS steps it up and may be something you can add to or enable on your firewall.
After a few consulting hours, (maybe the purchase of a new firewall or appliance) and certainly the signing of some type of maintenance contract, you’ve committed many dollars in infrastructure changes to add an IDS/IPS. Things are ticking along great, right?
Have you bothered to test whether the fancy new system is really doing what it the sales guy said it will do?
A famous former President was very fond of this Russian proverb: Trust but verify.
Have your IDS/ IPS checked by someone other than the vendor to ensure it is detecting and preventing while not impacting your network performance. Impact? Yes, impact. Another 1 or 2 seconds per transaction multiplied by the transaction volume and number of impacted employees or customers adds up quick. Time is money.