Types of IDS and IPS Sensors

Advantages

Disadvantages

• Easy configuration

• Fewer false positives

• Good signature design

• No detection of unknown signatures

Signature-Based

• Initially a lot of false positives

• Signatures must be created, updated, and tuned

Policy-Based

• Simple and reliable

• Customized policies

• Can detect unknown attacks

• Generic output

• Policy must be created

Anomaly-Based

• Easy configuration

• Can detect unknown attacks

• Difficult to profile typical activity in large networks

• Traffic profile must be constant

Honey Pot-Based

• Window to view attacks

• Distract and confuse attackers

• Slow down and avert attacks

• Collect information about attack

• Dedicated Honey pot server

• Honey pot server must not be trusted

The table in the figure summarizes the advantages and disadvantages of the various types of IDS and IPS sensors available. The list here describes these IDS and IPS sensors in more detail.

■ Signature-based: A signature-based IDS or IPS sensor looks for specific, predefined patterns (signatures) in network traffic. It then compares the traffic to a database of known attacks and triggers an alarm or prevents communication if a match is found. The signature may be based on a single packet or a sequence of packets. New attacks that do not match a signature will not result in detection. For this reason, the signature database needs to be constantly updated.

Note Protocol analysis-based intrusion detection is similar to signature-based intrusion detection, but it performs a more in-depth analysis of the protocols specified in the packets.

Signature-based pattern matching is an approach that is rigid but simple to employ. In most cases, the pattern is matched against only if the suspect packet is associated with a particular service or, more precisely, destined to and from a particular port. This helps to lessen the amount of inspection done on every packet. However, it tends to make it more difficult for systems to deal with protocols that do not reside on well-defined ports and, in particular, Trojan horses and their associated traffic, which can usually be moved at will.

At the initial stage of incorporating signature-based IDS or IPS, before the signatures are tuned there can be a lot of false positives (traffic generating an alert which is no threat for the network). After the system is tuned and adjusted to the specific network parameters there will be fewer false positives than with the next approach, the policy-based approach.

5-10 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

■ Policy-based: The IDS or IPS sensor is preconfigured based on the network security policy. You must create the policies used in a policy-based IDS or IPS. Any traffic detected outside the policy will generate an alarm or will be dropped. Creating a security policy requires detailed knowledge of the network traffic and is a time-consuming task. Policy-based signatures use an algorithm to determine if an alarm should be fired. Often policy-based signature algorithms are statistical evaluations of the traffic flow. For example, in a policy-based signature that is used to detect a port sweep, the algorithm issues an alarm when the threshold number of unique ports is scanned on a particular machine. Policy-based signature algorithms could be designed to only analyze a specific type of packets, for example, SYN packets. The policy itself may require tuning. For example, you might have to adjust the threshold level of certain types of traffic so that the policy conforms to the utilization patterns on the network that it is monitoring. Polices may be used to look for very complex relationships.

■ Anomaly-based: Anomaly-based or profile-based signatures typically look for network traffic that deviates from what is seen "normally." The biggest issue with this methodology is that you first need to define what "normal" is. Some systems have hard-coded definitions of normal traffic patterns and, in this case, they could be considered heuristic-based systems.

Other systems are built to learn normal traffic behavior; however, the challenge with these systems is in eliminating the possibility of improperly classifying abnormal behavior as normal. Also, if the traffic pattern being learned is assumed to be normal, the system must contend with how to differentiate between allowable deviations and those deviations not allowed or that represent attack-based traffic. Normal network traffic can be difficult to define.

■ Honey pot-based: Honey pot systems use a dummy server to attract attacks. The purpose of the honey pot approach is to distract attacks away from real network devices. By staging different types of vulnerabilities in the honey pot server, you can analyze incoming types of attacks and malicious traffic patterns. You can use this analysis to tune your sensor signatures to detect new types of malicious network traffic.

© 2006 Cisco Systems, inc. Securing Networks with Cisco iOS IPS 5-11

+6 0

Responses

  • john
    What two sensor types exist in an ids/ips solution?
    6 months ago

Post a comment