Cutting down the noise

Villain or angel? Ryon Packer explains how your network intrusion detection system could become the latter.

Like most new technologies, network intrusion prevention is commonly very misunderstood - leading to an over heralding or vilification. Most of what leads to the confusion is the fact that so many different vendors are claiming to have a network intrusion prevention system. From denial-of-service vendors, to firewall vendors, to intrusion detection vendors - talk to a sales rep long enough and they will likely claim their product is really an intrusion prevention device.

As mainstream IT professionals have begun deploying network intrusion detection (NIDS), it has matured to automate tasks that previously required human intervention and analysis - requiring less time from the administrator and less expertise. But the basis of a NIDS is 'detection.' Like a metal detector in an airport, a NIDS doesn't stop network traffic; it highlights potential threats so that the security guards, like firewalls, can be more effective.

Detection or blocking

The logical progression is - if IDS can detect something bad, why can't the IDS just stop it, too?

An intrusion detection system operates in promiscuous mode where it is connected to the network with a 'T' connection. Like a stethoscope listening to your heart, the NIDS listens to all network traffic, but isn't in the flow of the traffic. The 'T' connection also allows the NIDS to monitor a network without introducing another point of failure.

To make a network intrusion detection system into a network intrusion prevention system (NIPS) requires a deployment change - from the promiscuous 'T' connection to an inline connection, like a firewall. Inline IDS create another point of failure in the network - if the NIDS fails that network span is broken and no traffic can pass. The benefit of an inline deployment is that the network IDS can block any kind of traffic from passing through the system.

Being a NIDS at heart, the intrusion prevention system uses pattern matching, protocol decoding and flow-based anomaly detection, and the newer systems will also use usage-based or application-based rules to identify traffic that is known to be malicious or suspicious. Network intrusion prevention adds two features to modern network intrusion detection systems: inline deployment and the additional feature of being able to block any kind of traffic that matches a signature.

Drowning out the good

Now, we need to look again at why people think intrusion prevention is better than intrusion detection. The most common complaint about IDS is that too many of the events are 'false positives' - said another way, the signal-to-noise ratio contains too much noise for the signal to be really meaningful.

The downside of too much noise in a NIDS is simply lessened usability and benefit, and increased management cost - a nuisance and challenge internal to the security group. The downside of noise in a NIPS is blocked legitimate traffic which results in upset users and disrupted business - a crisis for the enterprise as a whole.

Noise in a NIDS can be defined by a number of criteria. First, what is actually normal for my network is a qualitative decision made by the security professional, who will not choose to terminate the traffic but rather tune the system so he or she does not receive these events.

Second, an event that is incorrectly identifying an attack pattern or condition that in context does not indicate an attack, requires human analysis of the traffic to determine if it is an exploit or normal. If the traffic is a true false positive, it would be tuned or made inactive, and reported to the vendor for correction or more stringent identification.

Third, an event that is an actual exploit but targeted at a system that is not vulnerable provides the greatest improvement of signal to noise ratio. Examples include the volumetrically distracting Slammer, Nimda or Code Red worms that though patched in most enterprise networks, still roam the internet and create ambient noise.

With an intrusion prevention system you want to block the bad and allow the good. The problem arises when you block the good with the bad. Of the three definitions we outlined, what would you be willing to automatically block? The first generation of IPSs will be used to block the third - actual exploits against non-vulnerable systems, which is the only type of event that has a high level of accuracy and is unlike normal network behavior.

Enforcing security

What is the bottom line for this first generation of network intrusion preventions systems? A lot of more of what you bought your original intrusion detection system for. The much improved signal-to-noise ratio of an IPS-enabled IDS will provide all of the benefits of increased visibility that the IDS provided with a substantial decrease in the downsides that have plagued the technology.

Also, while security policies have many times been nothing more that a document to point at after an event has occurred, a network IPS allows an enterprise to enforce the network utilization aspects of the security policy. But, it is the enterprise that needs to make this implementation decision, not just the security professional.

Ryon Packer is vice president of Intrusion Inc. (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.