Pub. 11 2016-2017 Issue 6

www.nebankers.org 18 Extraordinary Service for Extraordinary Members. Detecting Intrusion Detection Ty Purcell, Security & Compliance Consultant, CoNetrix TECH TALK I NTRUSION DETECTION SYSTEMS (IDS) HAVE BEEN AROUND for more than 30 years, dating back to the Intrusion Detection Expert System (IDES) in the mid 1980s. Intrusion detection technology continued to evolve with the introduction of host-based, network-based, and network behavior analysis systems. Additionally, systems capable of blocking malicious traffic, Intrusion Prevention Systems (IPS), originated from IDS. Intrusion Detection and Prevention Systems (IDPS) traditionally have been hosted on systems dedicated to the task of detecting and responding to malicious network traffic. Over the last several years, security appliances that fill multiple roles such as firewall, VPN, Internet filtering, antivirus, and IDPS have been placed on the market by mul- tiple vendors. These devices, also known by the name Uni- fied Threat Management (UTM), may not always provide true IDPS services since the device may not have adequate system resources or may require additional licenses or hardware modules. This can leave a device owner believing they are protected by an IDPS, when in fact they are not. What Is Intrusion Detection & Prevention? As with most things, multiple definitions can apply to what an IDPS is. Many firewalls and UTM devices provide stateful packet inspection and stateful protocol analysis, referred to by some as deep packet inspection. These technologies provide basic intrusion detection technol- ogy; however, The National Institute of Standards and Technology (NIST) provides a good explanation of the differences in publication 800-41, Guidelines on Firewalls and Firewall Policy: “Firewalls with both stateful packet inspection and stateful protocol analysis capabilities are not full-fledged intrusion detection and prevention systems (IDPS), which usually offer much more extensive attack detection and prevention capabilities. For example, IDPSs also use signature-based and/or anomaly-based analysis to detect additional problems within network traffic.” IDPS technologies examine the content (or payload) of each packet of network traffic to determine if it matches pre-determined rules of malicious behavior or if it does