Re: Introduction and preliminary question re: use of IDS/IPS

[Gary Flynn <flynngn () JMU EDU>]

Jason Richardson wrote:

> Hi, I discovered this list and the Unisog list yesterday and subscribed
> immediately.  I am IT Security Manager at Northern Illinois Univ.  We
> are a fairly large state university (approx. 25K undergrad + grad
> schools) located west of Chicago.  I have searched the archives for
> discussion re: the use of IDS and IPS on university campuses and found a
> few posts but not much discussion so I decided to go ahead and post my
> question.  My apologies if this has been discussed before under a thread
> that I didn't see.  How prevalent is the use of IDS/IPS on campus
> networks?  We have been using an IDS that hasn't really worked out for
> us for the past two years and we are considering replacing it.  Our
> network engineering staff has some concerns about the longevity of
> IDS/IPS and whether such systems will even be in use 5 years from now.
> My reading so far has led me to believe that while pure IDS is probably
> on its way out, IPS is alive and well and will be for some time.  I was
> hoping to get a general sense of whether such systems are being used to
> secure campus networks.  To narrow the inquiry somewhat, I am referring
> more to NIDS than HIDS but we are looking at HIDS also.

We're finishing up an RFP process to procure two IDP NIDS
devices for our Internet connections. I can't say any more
than that right now but obviously we have an interest in
them and I can't wait to get them installed.

We've been using Snort for the past couple years. While it
provided useful data on the activities on the network and
let us know where to concentrate our efforts, it was a
reactionary process rather than a preventive one. It was
rather discouraging to watch attacks happening that could
have easily been prevented had the device detecting those
attacks been able to drop the associated traffic.

IDP provides another tool in the arsenal to address some of
those attacks. While it will not be able to block all attacks
because of the difficulty in determining with certainty the
malicious intent of certain types of traffic (particularly
on a university internet connection), it will be able to
stop some of them. When not able to prevent an attack,
it will still provide the more traditional IDS reporting
capability along with some useful operational monitoring and
forensics capabilities.

IDS, IDP, NIDS, and HIDS are not plug and play technologies.
They require careful, tedious analysis of traffic and policies
and careful tuning. The more active they are, the more work
that needs to go into them and the more likely they are to
cause operational difficulties in complex environments. But
at least with IDP, the time invested will result in some
attacks being prevented rather than simply being reported.

Most of them have the ability to detect hundreds or thousands
of different potential attacks. The determination of many of
those attacks is often rather simplistic and tend to fire
often on an open network for the wrong reasons. I think an
IDP's primary value in a university internet environment
will be in rapid response to new threats and fairly focused
events. (I'll be looking for other universities using the
same IDP equipment we purchase to form a cooperative to
trade signatures and best practices.) Versatility and tuning
capability are key.

Closer to the protected resources, or in a more closed
environment, where traffic can be clearly defined and
limited, they can be used in a more all-encompassing manner.

NIDS/NIDP will be around by some name unless the majority
of applications all start using encryption over a common
port (think web services). Then they'll become mostly
useless unless the decryption barrier is in the network
rather than on each host. HIDS/HIDP might then become more
effective although one has to keep in mind the limitations
of having security software on the device one doesn't trust
to be secure in the first place. :)

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.