I was in a recent discussion with a customer to talk about Network Access Protection. Along the lines of discussions (after understanding what NAP has to offer and after an introduction to Server Domain Isolation model with IPSec), i was asked this question about Intrusion Prevention Systems (IPS) and Network Intrusion Detection Systems (NIDS).
Does IPSec make IPS/NDS redundant?
I will not go into what IPSec does, since it has been available for a rather long period. IPSec existed since Windows 2000 days. Many people think that its only use is for Point-to-Point as in, for a VPN encryption technique. Well, that is right, but IPSec isn’t just limited to that. It can do a lot more.
It can be used to authenticate machines in the domain, and encrypting anything, on any port, from any source, to any destination, that the administrator wants. Anyway, i shan’t teach you what IPSec does because there is a very good resource about it. Visit http://www.microsoft.com/ipsec to learn about IPSec.
Back to the topic here; Does IPSec make IPS/NIDS redundant?
As i am not a subject matter expert, i took it back to the Product Team, looking for an authoritative answer. William Dixon, technical co-author of Server and Domain Isolation Guide, responded. He recommended to read up Chapter 1 to 3 of the linked guide.
Definitions of IDS
Here’s the definition of IDS – http://www.tech-faq.com/ids-intrusion-detection-system.shtml
In its definition, it says IDS is commonly divided into NIDS and HIDS. The earlier being Network and the latter being Host.
New generations of NIDS has the capabilities of doing NIPS. In contrast, one earlier detects, latter prevents. In either situations, they all need the ability to pick up TCP traffic.
What essentially does IDS need to do its job?
They all essentially monitors TCP traffic and then take necessary actions accordingly. So, what IDS needs is the ability to monitor TCP packets where its being placed. Here’s where the value of the question is being posted.
Since IPSec has the capability to scramble a TCP packet (in ESP), won’t that prevents IDS/NIDS/NIPS (I’ll called them IDS collectively from now, excluding HIDS), from being able to decipher the TCP packets?
Essentially yes. If traffic is scrambled, IDS will have trouble deciphering the TCP Packets to monitor, however, that does not make IDS redundant on the network. It depends on the situation, and it warrants a requirements study of the situation. You can email me for a discussion. 😉
IPSec can scramble TCP Packets
IPSec, ESP, has the ability to scramble the TCP packets holding data and make them unreadable to anyone, other than the intended party. Which essentially, IDS is the anyone. However, in Authentication mode, IDS still can play a part in doing what it is supposed to do, thereby, making it not redundant. But if encryption is deployed, IDS cannot monitor such traffic
The other equations
In finding the answer of whether IDS is redundant with the use of IPSec. The easy answer is No (May not apply in all situations, most diplomatic is "Depends" LOL). Well, where IPSec is used in ESP mode, IDS won’t be able to do its job.
In most situations, IPSec encryption is not used on all network traffic. You won’t be "IPSec-ing" everything. You will only use IPSec where needed. You can choose the type of traffic to apply IPSec. It can be defined between hosts (eg, between certain server and client) and type of traffic (eg. HTTP, but not ICMP). A combination is also possible.
So in fact, if you have machines not joined to the domain, and machines or traffic where IPSec isn’t used, IDS still plays an important part of ensuring the network is safe.
After applying IPSec to protect your critical assets and data on the network, does the protection of IDS still offer a good compelling value? If yes, you will still want to use IDS. However, if after applying IPSec and you think IDS is not playing an important role in your quest for network security anymore, then i guess no, since you will probably be protecting your critical assets with IPSec encryption.
Give it some thoughts because there are certain cases where IDS does play a crucial role and they can complement IPSec. Remember, the crucial objective is to make sure network is secure and hosts on it are protected, and not what was used.
Personally, the choice of the platform/technology to use, is certainly the one (in personal opinion), the one that offers the easiest form of management/deployment and provides the best form of protection for your objectives.
There are some more information which i think i will either post later on, or wait for someone to ping me for more information. (Psst, the fact is, i am sleepy and i got to work tomorrow.. Yawn..) Till then again… see ya around.
Oh, do check out this web site about Server and Domain Isolation model using IPSec. Essentially, you can make domain assets ignore non-domain machines totally. http://www.microsoft.com/sdisolation
Happy New Year
/Dennis