IPSec makes IPS/NIDS redundant?

Tue, 01 Jan 2008 14:51:39 GMT

I was in a recent discussion with a customer to talk about Network Access Protection. Along the lines of discussions (after understanding what NAP has to offer and after an introduction to Server Domain Isolation model with IPSec), i was asked this question about Intrusion Prevention Systems (IPS) and Network Intrusion Detection Systems (NIDS).

Does IPSec make IPS/NDS redundant?

I will not go into what IPSec does, since it has been available for a rather long period. IPSec existed since Windows 2000 days. Many people think that its only use is for Point-to-Point as in, for a VPN encryption technique. Well, that is right, but IPSec isn't just limited to that. It can do a lot more.

It can be used to authenticate machines in the domain, and encrypting anything, on any port, from any source, to any destination, that the administrator wants. Anyway, i shan't teach you what IPSec does because there is a very good resource about it. Visit http://www.microsoft.com/ipsec to learn about IPSec.

Back to the topic here; Does IPSec make IPS/NIDS redundant?

As i am not a subject matter expert, i took it back to the Product Team, looking for an authoritative answer. William Dixon, technical co-author of Server and Domain Isolation Guide, responded. He recommended to read up Chapter 1 to 3 of the linked guide.

Definitions of IDS

Here's the definition of IDS - http://www.tech-faq.com/ids-intrusion-detection-system.shtml
In its definition, it says IDS is commonly divided into NIDS and HIDS. The earlier being Network and the latter being Host.
New generations of NIDS has the capabilities of doing NIPS. In contrast, one earlier detects, latter prevents. In either situations, they all need the ability to pick up TCP traffic.

What essentially does IDS need to do its job?

They all essentially monitors TCP traffic and then take necessary actions accordingly. So, what IDS needs is the ability to monitor TCP packets where its being placed. Here's where the value of the question is being posted.
Since IPSec has the capability to scramble a TCP packet (in ESP), won't that prevents IDS/NIDS/NIPS (I'll called them IDS collectively from now, excluding HIDS), from being able to decipher the TCP packets?
Essentially yes. If traffic is scrambled, IDS will have trouble deciphering the TCP Packets to monitor, however, that does not make IDS redundant on the network. It depends on the situation, and it warrants a requirements study of the situation. You can email me for a discussion. ;-)

IPSec can scramble TCP Packets

IPSec, ESP, has the ability to scramble the TCP packets holding data and make them unreadable to anyone, other than the intended party. Which essentially, IDS is the anyone. However, in Authentication mode, IDS still can play a part in doing what it is supposed to do, thereby, making it not redundant. But if encryption is deployed, IDS cannot monitor such traffic

The other equations

In finding the answer of whether IDS is redundant with the use of IPSec. The easy answer is No (May not apply in all situations, most diplomatic is "Depends" LOL). Well, where IPSec is used in ESP mode, IDS won't be able to do its job.
In most situations, IPSec encryption is not used on all network traffic. You won't be "IPSec-ing" everything. You will only use IPSec where needed. You can choose the type of traffic to apply IPSec. It can be defined between hosts (eg, between certain server and client) and type of traffic (eg. HTTP, but not ICMP). A combination is also possible.
So in fact, if you have machines not joined to the domain, and machines or traffic where IPSec isn't used, IDS still plays an important part of ensuring the network is safe.
After applying IPSec to protect your critical assets and data on the network, does the protection of IDS still offer a good compelling value? If yes, you will still want to use IDS. However, if after applying IPSec and you think IDS is not playing an important role in your quest for network security anymore, then i guess no, since you will probably be protecting your critical assets with IPSec encryption.

Give it some thoughts because there are certain cases where IDS does play a crucial role and they can complement IPSec. Remember, the crucial objective is to make sure network is secure and hosts on it are protected, and not what was used.

Personally, the choice of the platform/technology to use, is certainly the one (in personal opinion), the one that offers the easiest form of management/deployment and provides the best form of protection for your objectives.

There are some more information which i think i will either post later on, or wait for someone to ping me for more information. (Psst, the fact is, i am sleepy and i got to work tomorrow.. Yawn..) Till then again... see ya around.

Oh, do check out this web site about Server and Domain Isolation model using IPSec. Essentially, you can make domain assets ignore non-domain machines totally. http://www.microsoft.com/sdisolation

Happy New Year

/Dennis

... is Windows more secure?

Thu, 20 Dec 2007 08:19:27 GMT

Having been managing Windows infrastructure for many years, the darkest years of Windows are probably over. Recalling Blaster virus in 2002/2003 (can't exactly remember which year), bringing Windows systems down in 60 seconds was horrific for the Windows administrator. That has since been history.

Over the years, Microsoft had taken numerous steps, and one of those that i recalled was a stop to all developments in the pipeline. All developers in Microsoft had to go through training on writing secure code.

Security has since been a word everyone in Microsoft remembers and had to live with everyday. I guess that is bearing fruit for now. In all product designs, Microsoft has placed Security in top priority.

I came across a recent report, from ZDNet, as saying "Apple Mac operating systems had more critical vulnerabilities reported in 2007 than Microsoft's operating systems, according to research."

A figure in the report was interesting. Mac OS X has 234 highly critical vulnerabilities reported in 2007, as compared to just 23 for Vista and XP combined. You can read the report here. http://news.zdnet.co.uk/security/0,1000000189,39291625,00.htm

So is Windows more secure than before? I would say yes for sure. However, being in IT, we need to be constantly be reminded that there are no such thing as 100% secure. Security in IT is not just about technology. IMHO, it combines technology, processes, policies and constant updates for the IT Pros.

/Dennis

Microsoft Security Intelligence Report (Jan - Jun 07)

Fri, 07 Dec 2007 04:05:28 GMT

Microsoft has released a report.

It is based on the data derived from several hundred million Windows Users and some of the buiest online services on the Internet.

It provides in-depth perspective on trends in software vulnerability.

If you're into Security focused role in your organization, this is one of the best source of information that you should read. It is also available in other languages.

Grab the report here.

/Dennis

Dennis Chung - Windows MVP: Security

IPSec makes IPS/NIDS redundant?

... is Windows more secure?

Microsoft Security Intelligence Report (Jan - Jun 07)