Intrusion Detection Systems (IDS): A Basic Guide

Intrusion detection systems are often regarded as a core component in safeguarding production systems that house mission-critical data, IP, and other digital assets. Without an IDS in place, a business’ production infrastructure and data are vulnerable to cyber attacks and other criminal activity. If the data is compromised by an unauthorized entity, the infrastructure of the entire company can quickly crumble, leaving much doubt about the organization’s sustainability.

As part of an overarching security strategy that may include VPNs, virus protection, firewalls, or managed IT, an IDS has traditionally aided administrators in detecting intrusions and mitigating attacks. However, the role of IDS is slowly diminishing. The technology that hackers utilize to hijack a network and the counter-technology that administrators are implementing to combat these attacks have out-paced IDS scope and capacity. The need for real-time and zero day attack detection has rendered an IDS all but antiquated.

Understanding IDS Core Operation

An intrusion detection system (IDS) is a device or a software application that performs any or all of these basic functions:

  1. Monitors an entire network infrastructure for cyber attacks
  2. Instantly detects a cyber attack as it occurs
  3. Quickly deploys a countermeasure to stop the attack (intrusion prevention systems)
  4. Submits reports to an administrator or security team

The purpose of an IDS is to create an automated protocol for monitoring cyber attacks and engage a team of live security experts who can respond to the attempted breach, view a digital analysis of the activity, and then deploy solutions for improving network security. The intrusion detection system is designed to protect every component of the network including equipment, hardware, and software within an on-site data center, virtual server, or a cloud-based platform. It forms a digital perimeter that partially or fully guards an organization’s IT network.

An intrusion prevention system (IPS) operates on the same level as an IDS but proactively employs a counter-measure to prevent an unauthorized person or entity from following through with the attack. An IPS reinforces a firewall and provides a complementary layer of analysis that negatively selects for dangerous content. An IPS actively analyzes the network and undergoes automated actions on all traffic flows that enter the network. These actions may include dropping malicious packets, blocking traffic to a source address, or resetting a connection.

Why Intrusion Detection Systems are Ineffective for Linux Production Environments

Organizations are evolving and modernizing their production environments with technologies like cloud, microservices and containers, and are more often mixed with both cloud and on-premises infrastructure and applications. This creates a changing attack surface that conventional security solutions such as IDS simply cannot address.

Breaking It Down: How an IDS Works

An IDS operates on a controlled, consistent protocol to ensure that every security breach is handled efficiently with absolute precision. A general step-by-step procedure occurs as follows:

  1. An IDS deploys sensors that monitor designated key points throughout an IT network.
  2. Administrators develop detection content that they distribute throughout the IDS platform.
  3. An IDS captures small amounts of security-critical data and transmits it back to the administrator for analysis.
  4. When a cyber attack occurs, the IDS detects the attack in real-time.
  5. IDS administrators can address and disrupt cyber attacks as they occur.
  6. An administrator can then contain the attack and prevent any intrusion or damage to the network.
  7. Afterward, the IDS can perform an assessment of the attack to determine weaknesses in the network. The administrator can further evaluate what happened and create a strategy for preventing further attacks.
  8. The administrator works with the client to implement the strategy and further monitor and analyze the network.

When compared to other types of cyber protection tools, the IDS strategy of monitor-analyze-defend-analyze-adjust is ongoing. There is never a time when either the administrator or client feels as though they are immune from a cyber attack. An IDS and the team operating it always assumes that an attack is imminent and deploys measures for countering it.

Types of Intrusion Detection Systems

Host-Based IDS

Host Intrusion Detection Systems (HIDS) operate on individual desktop or remote devices within a network. HIDS probes incoming and outgoing packets of data straight to or from the device. This form of detection is ideal when a client wants to create a digital hedge around a single device.

Network-Based IDS

Network-Based IDS Network Intrusion Detection Systems (NIDS) monitor activity across strategic points over an entire network. All components within the network such as hardware, software, equipment, and platforms are monitored and analyzed.

Stack IDS

SIDS monitor network packets in transit through the network stack (TCP/IP). Therefore, the stack intrusion detection system does not need to interact with the network interface in unrestricted mode.

Signature-Based IDS

Signature-based detection systems are most compatible with threads that are already defined or identified. SIDS searches a string of malicious bytes or sequences. IDS Signatures are easy to apply and develop once the administrator defines which behaviors are on the IDS radar.

Anomaly-Based IDS

Anomaly-Based IDS Anomaly detection technique is a centralized process that works on the concept of a baseline for network behavior. This baseline is a description of accepted network behavior, which is learned or specified by the network administrators.

Fundamental Concerns of Intrusion Detection Systems

IDS Is Not a Standalone Security Solution

An IDS cannot provide 100% protection from cyber threats alone. Rather, it works in conjunction with a firewall, antivirus, and other security measures. Therefore, an administrator will need to integrate an IDS into a more comprehensive security strategy.

IDS is Not Scalable

Due to its performance limitations, IDS does not have the capability to handle additional infrastructure or corporate expansion. Latency issues are sure to arise as companies implement cloud-based infrastructure or hybrid environments that contain both on-premise and cloud platforms. As more companies make the digital transformation into the cloud, IDS will prove to become more inadequate for the task.

False Positives & Negatives

Due to its sensitive monitoring capabilities, an IDS may send a false alarm if the system suspects a security breach even when there is no indication of such activity. A more pressing issue, however, is that IDS appliances often fail to actually detect malicious activity due to the high volume of network traffic. Appliances that generate too many false positives and/or negatives create numerous challenges for resource-strapped administrators who rely on consistent data to mitigate security threats.

Experienced Administrators Required

Managing an IDS requires the knowledge and skill of an experienced IT staff. Personnel that lacks the training and knowledge needed to manage an IDS may have to work harder to manage the system. Inexperienced staff may also respond more slowly to an attack. Thus, they may not be able to provide adequate protection for the network.

Encrypted Packets

An IDS may not have the capability to monitor encrypted packets. This opens up a window for hackers to penetrate a network undetected. By the time the IDS detects the security breach, the hacker may have compromised the network or accessed sensitive data.

Protocol-Based Attacks

An IDS can only analyze captured protocols. Therefore, it is susceptible to the same protocol-based attacks as a network host. Bugs and damaged files can crash the IDS.

Ongoing Updates

The client network is always vulnerable to new threats. These threats may go undetected if the administrator does not update the signature library and register the most recent cyber attacks.

Why Intrusion Detection Systems are Ineffective for Linux Production Environments

Organizations are evolving and modernizing their production environments with technologies like cloud, microservices and containers, and are more often mixed with both cloud and on-premises infrastructure and applications. This creates a changing attack surface that conventional security solutions such as IDS simply cannot address.

Intrusion Detection vs. Intrusion Prevention

Intrusion Prevention Systems (IPS)Not all intrusion detection systems take preventative measures to eliminate cyber attacks. Some systems act as merely informants (intrusion detection) while others are programmed to counter an attack (intrusion prevention). Both IDS and IPS systems utilize automation, help companies address compliance issues and allow administrators to enforce security policies within the network. However, an IPS contains the added step with limited additional resource requirements.

An IDS analyzes network traffic for signatures that match previous documented cyber attacks. An IPS also analyzes the packets but stops the packets from delivery based on the nature of the attack. While both systems are integrated into the network infrastructure, an IDS monitors the system with little to no control over the outcome of an attack. Conversely, an IPS can have full control over the outcome of an attack.

Some systems offer both IDS and IPS functionality with added features such firewalls into a single unit known as unified threat management (UTM). Regardless of whether a client chooses an IDS or IPS, however, neither system can operate with full autonomy. A client will still require an administrator to manage the system and make adjustments to the network security ongoing.  

The Future of IDS

Although IDS implementation still remains a best practice in production environments, its future is uncertain at best. New technology now offers automated solutions that both detect and respond to cyber attacks, thus, making it more attractive to administrators in critical production infrastructure.

An organization that doesn’t have the personnel or resources to handle large-scale ongoing detection and analysis, may turn elsewhere for automated network security solutions. If IDS is to survive, then developers must produce products that can detect cyber activity with greater precision while coming up with prevention and response measures that save companies time, effort, and money.

Are You Interested in Intrusion Detection for Cloud or Hybrid Infrastructure?

Capsule8 provides high-performance attack protection for Linux production environments – whether containerized, virtualized, or bare-metal. Our Protect platform liberates SecOps from managing a high volume of manual tasks, while being safe for even the busiest workloads, on the busiest networks.