There are numerous network security devices and tools available intended to aid in computer network defense, and these tools are often relied upon for protecting against increasingly sophisticated, stealthy, and damaging attacks. This will be an analysis of the features and benefits for various Intrusion Detection/Prevention Systems (IDPS) and other network traffic monitoring tools in regards to defending high value targets against attacks from advanced persistent threats. The current generation of security devices has an exceedingly difficult time in providing an absolute defense against such threats, and the situation is particularly grim for targeted, novel attacks.
Due to the multitude of tools and device categories available, it can be very difficult to identify the correct tool for the job at hand and to fully understand the seemingly infinite combination of interactions that can occur within the network. To simplify this problem, the primary network sensor that will be looked at is the IDPS.
Intrusion Detection/Prevention System Categories
Technically, Intrusion Detection Systems and Intrusion Prevention Systems are different. However, they essentially work via the same mechanism and share similar goals. IDS and IPS will both monitor the network and try to identify malicious activity originating from or traveling within the network; the IPS just has the additional functionality of automatically blocking such activity because it usually sits inline with traffic flow. There are four general types of IDPS, as defined by NIST:
I will focus on the Network-Based and Network Behavior Analysis types, due to my network security background. These IDPS types will monitor the network or network segment they are connected to and will analyze them for signs of possible incidents. Incidents are defined as 'exploiting of a vulnerability to attack the confidentiality, integrity or availability of an information system' [cite sec man textbook later]. Specifically, this can included attacks from malicious logic, DoS attacks, reconnaissance of the network, and data ex-filtration (IDPS is also one of the few defenses against the troublesome 'insider threat').
Upon detecting an incident, the IDPS will signal an alert. In the case of inline IPDS, this can also mean dropping packets(acting like a firewall ), throttling bandwidth usage (in the case of suspected DoS attacks), or sanitizing malicious content (often seen in host-based AV and mail filters). If the alert is made when there is actually no security incident, it is known as a false positive. Because these systems are automated, they must be tuned to decrease false positives. It is often necessary to have many false positives in order to avoid missing detecting a real incident (known as a false negative). This leads into a major shortcoming of IPS': because IPS systems are intended to operate inline with the network and drop malicious packets, if they issue a false positive it means that...