Intrusion Detection and Prevention Systems

Expand all

The Risk

Whilst firewalls and anti-virus/anti-malware solutions have traditionally been the major parts of an organization’s security infrastructure, the fast pace at which new system vulnerabilities are found and exploits for gaining unauthorized access into systems and networks are developed, necessitate the introduction of equally fast and proactive means of protecting valuable organizational resources.

Intrusion detection and prevention technologies prove to be an effective tool that allows organizations to be proactive enough to detect, prevent and respond to suspected or actual threats at network and system level.

Intrusion prevention and detection systems are not meant to replace any other security implementation on the organizational network, but to work with and complement them. Firewalls’ main function is to allow or block types of traffic based on a preconfigured policy.  They are not, however, able to recognize patterns of traffic, which may form parts of a formulated attack.  This is the very function of IDS/IPS systems since they are set to “question” the validity of network traffic.  IDS/IPS systems intercept traffic and inspect it for possible disguised attacks. Upon detection of such traffic, and based on its configuration, an IDS/IPS system may react in different ways, e.g. log the suspected traffic but allow it to pass, alert the security administrators, block it, etc.

Key elements of an IDS/IPS system’s effectiveness are the vulnerability signatures enforced and configured on it as part of its security policy, and its behavioral and protocol analysis capabilities.  These are the elements, which allow an IDS/IPS to analyze and recognize malicious traffic patterns and content.  Thus, as new system vulnerabilities are discovered, relevant signatures need to be developed and enforced as part of an IDS/IPS’s policy, if they are to be able to protect the organization’s network from that specific vulnerability.  In this respect, the effectiveness of an IDS/IPS solution lies both in the features of the IDS/IPS solution deployed, but even more so, on the swiftness by which new vulnerability signatures are enforced on this system.    

There are two major types of IDS/IPS systems; those, which function at a network level, and those which function at a server (host) level.  Generally, both could be managed from the same IDS/IPS management system.

Network IDS/IPS sensors: A Network IDS/IPS sensor (NIDS) is installed on critical network segments to detect malicious activity as traffic traverses these segments.  Such malicious activity may be SQL injection attack or service/system identification.  Once malicious activity is detected/ suspected, the NIDS, based on the configuration policy enforced, will take appropriate remedial action and report the details of this activity to the IDS/IPS management system for further analysis from the security personnel.

Host IDS/IPS sensors:  A host-based IDS/IPS (HIDS) is actually installed on a single server.  Its purpose is not only to detect malicious activity that the server may be subjected to, but also audit a number of administrative actions performed on the host server.  As is the case with the NIDS, once such activity is detected/ suspected, the HIDS, based on the configuration policy enforced, will take appropriate remedial action and report the details of this activity to the IDS/IPS management system for further analysis from the security personnel.
 

Protecting your Organization

Designing and deploying an effective IDS/IPS solution is an extremely complex task for any organization. Odyssey has extensive experience and expertise in the implementation of IDS/IPS solutions at both network and host level, and has several complex deployments under its belt.  Drawing from our ever-growing expertise, developed through our ITHACA Labs® and Managed Security & Outsourcing Services division, we are uniquely poised to design and implement for you an effective IDS/IPS solution no matter how complex or dispersed your environment is.

Our host and network IDS/IPS solutions will protect you against known and unknown threats, eliminate vulnerabilities and prevent unwanted intrusions while combining seamless integration in your existing infrastructure. Our approach to deploying an IDS/IPS solution begins with a detailed examination of your network design and services running on critical systems.  Based on your input, we will then determine which business resources are critical, and will assess the vulnerabilities of these resources as well as current security requirements and policies.

This assessment will lead us to a solution design, depicting the network and host-based IDS/IPS sensors required to meet your needs. Critical part of the implementation phase of an IDS/IPS solution is the formulation and deployment of the IDS/IPS security policy, which is applied via the solution’s central management system.  Due to the fact that it is difficult to readily determine within an operational environment which traffic is legitimate and which may not be, experience, effort, and diligence is required in applying and twigging a policy on each sensor so that it does not adversely affect operations by blocking legitimate traffic, while minimizing false positives.   Going a step further, we will configure the solution to generate those alerts, logs and reports required to enable you to swiftly take remedial action and produce the reports required by internal and external auditors.

Doing it right: Our IDS/IPS Solutions’ Key Features and Benefits

Our IDS/IPS solutions are largely characterized by the following key features and benefits:

Key Features

Benefits

Analyzes traffic traversing the network and systems for malicious and miss-usage activity, at all layers of communication

Complements other security controls in place such as Firewalls
Custom security policy creation/updating and enforcement based on organizational needs

Ability to create/ update custom security policies towards protecting vulnerable systems and/or networks which cannot be patche

Ability to predefine different response actions for actual or suspected attacks based on their criticality and importance

Real time notification for important and/ or critical attacks detected

Monitors traffic traversing the network for protocol and RFC violations

Traffic not complying with protocol and RFC requirements is blocked

Identifies, prevents and audits suspicious activities on protected hosts

Provides detailed information regarding users’/ administrators’ suspicious actions towards assessing the security posture of the protected host

Manages and monitors multiple intrusion prevention systems through a single centralized management system

Consistent visibility and higher network and system audit-ability through security logs

Actionable views, event monitoring and reporting

Enables swift threat remediation and continued compliance

Graphical user interface for monitoring the logs generated in real time for suspected system/network and user events

Provides information pertinent  to the timely identification of networks/systems which may be under attack and users who may not be in compliance with organizational security access policy

 

Remaining Secure – Support tailored to your needs

We very well understand that to remain effective, a security deployment requires constant monitoring, fine-tuning, updating and maintenance.  These requirements may prove a burden your organization may not be poised to undertake.  We have, therefore, structured our post-deployment services so that you may have the level of support you need, in order to achieve maximum return on your investment, with the least of worries. 

Our suite of post-deployment services range from simple Maintenance and Support, to full-fledged Managed Security & Outsourcing Services.

This solution comprises part of the “Design & Implement” phase of our Information Security Continuum (D&I).