Is IDS/IPS really worthwhile for personal computers?

I know that Intrusion Detection System(IDS) and Intrusion Prevention System(IPS) is worthwhile for a network. However, for a personal computer, is it really worthwhile? I am using TPF 6.0 now. I just turned on the IDS/IPS feature without any configuration so far (I am not sure if it worth the time to configure it ). Also, I found that many people consider the IDS/IPS feature as a factor when they are looking for a personal firewall. My question is, is IDS/IPS really so important for a personal computer?

 

Just an opinion but , protecting BEFORE it gets on is always a good thing . I would say IPS is best . Not sure but , that is my philosophy . As to the question of being needed . Use it if you have it . Why not ? Should not slow you down , depending on your machine . You may get differing opinions . Mine is only one . Hope that helps . Good luck in your quest

 

Yeah, I agree. But sometimes I just think that IDS/IPS is somewhat redundant for a personal computer. There are millions of computers in the world. I guess that hackers are more interested in those computers of a financial institute or a military base or whatever. The chance of a personal computer getting intruded is just so rare. In this sense, even a personal firewall is somewhat redundant, let alone an IDS/IPS. On the other hand, as pointed out by someone else, it is hard to configure an IDS/IPS properly for a lot of people. If it is hard, why bother to have it on a personal computer? Thus, a more fundamental question, what is really the protection an IDS/IPS can bring to us on a personal computer? I have this question in my mind for quite a while, but just could not find the answer.

 

Prevx is a basic IPS . You ask how they are protective . Prevx will detect zero day attacks . If you do not understand what that is , please read on . Those are trojans , worms , viruses that are , as of yet , unknown . Meaning AV and AT programs may not catch them .
Firewalls will not catch them MOST of the time , if ever . So , hope that helps you to figure things out . good luck in your quest .

 

Ther is an IDS build into KAV 5.0. It does tend to slow things down a bit when many connections are open, as with P2P software.

 

Hi,

IDS/HIDS/NIDS/HIDS are not necessary on a single computer.

A sandbox, an integrity protection or a firewall application are enough to complete the firewall.

If many computers are connected to the network (in a LAN configuration for instance), an IDS can be interesting to increase the line defense.
The target of a basic IDS is to detect any potential intrusion (there's so many false positive).

Some of them integrates a database (signature) of attacks (network ones...) in order to help the admin. to take the right decision.

IDS are also used by security specialists to audit the efficacy of a line defense (in corporate/enterprise environment) with scanners like Nessus which simulates real attacks (the last image represents a metho of usualsd attacks).

I hope you'll find an answer at your questions on the 2 next links:

*http://www.sans.org/resources/idfaq/

*http://www.secinf.net/intrusion_detection/FAQ_Network_Intrusion_Detection_Systems_.html

D: detection/H: host/I: intrusion/N: network/S: system


Regards

 

I've noticed that there seems to be false positives a lot. I'm using kerio 4.2 beta right now, which has a simple IDS based on Snort and it logs some intrusions when I've never seen any logged using other firewalls with IDS. Makes me think that they're mostly just false positives..

 

If you are accessing the Internet through a router (using NAT and/or its own firewall) then very little unsolicited traffic is going to come through so an IDS would be redundant. For a direct connection, it will come into play a lot more but I would suggest it has more of an "interest" factor since most personal firewalls will block such unsolicited traffic anyway. Knowing that you have received a TCP Reset or a Ping of Death may be interesting, but it rarely justifies any change in security setup and few ISP abuse desks will act on complaints about these - so the IDS has limited practical use but it does up the "feelgood" factor.

 

I tend to agree that the IDS/IPS is somewhat redundant and isn't really necessary. However, the chances of our ordinary personal computers getting hit with nasties may be greater than we think. See this article from the Denver Post:

http://www.denverpost.com/Stories/0,1413,36~33~2735094,00.html

I think their results may be overstated because they don't define what an "attack" is, but the article is still sobering.

 

I'm afraid I have to agree with you on that... I'm coming to the conclusion that an IDS isn't really necessary. It may be interesting for some people to see what's going on, but as you say, the firewall will block it anyway. After I get a firewall set up and configured, I find that I don't even pay much attention to the logs either.. if I'm confident that I'm protected.

 

Denver Post Honeypot....

I bet the SP1 machine in the Denver Post test did not have the windows firewall enabled. Even that minimalist firewall would have prevented the result of a machine becoming owned within less than an hour. All of the other boxes survived.

Denver is a great place. You can spend your weekends in the Rockies and your work week resting up for the next weekend. Anyone that lives there knows what I am saying.

 

I would agree that IDS is not for your average user, for instance, the PG2 is a formidable program once the lists have been properly set up with Block List Manager, however imagine a novice user's predicament when he/she finds out that Google refuses to work and so does many other ad sponsored sites. However for advanced users, IDS is necessary for peace of mind, one can then happily leave the system on whole day and be secure that snooping has been reduced to a minimum.

 

Hello everyone,

Thanks for the information and links. I finally did some 'research' on this question today, and found this interesting article.

http://www.sans.org/rr/whitepapers/detection/366.php

From the information given here and the article I read, here is my understanding on IDS and IPS now:

Intrusion Detection System is not really necessary for a personal computer. "Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions". It helps the network administrator/specialist to find potential danger and make decisions. For a personal computer, it's nice to know such intrusions, but its significance is limited.

However, an Intrusion Prevention System can add some security to a personal computer. It prevents intrusions by protecting system resources, stopping privilege escalation exploits, preventing buffer overflow exploits,and etc. Indeed, sandbox is an approach of IPS. As we know, applications like SSM, Prevx, ProcessGuard, and Tiny do add some security to the computer.

IDS detect the intrusion but just log it. IPS detect the intrusion and prevent it. It seems that IDS is more meaningful on a macro system (a network), and the IPS is more meaningful on a micro system (a personal computer).

Well, I am still a little bit confused about the line between IDS and IPS now. Will figure it out later.

 

Peer Guardian blocks all the IPs on its list so no malicious or other spyware can be implanted in your system.

 

There's one built into NAV 2005 also, along with Worm Blocking {a "mini-firewall"}; both of which are borrowed from NIS technology.

 

Well first of all it should be pointed out if you don't know it already that Tiny Personal Firewall is a network firewall (packet filter), full application sandbox and now you have mentioned it IDS with some IPS capability. Hence it can be misleading to compare selected features of Tiny Firewall to other network-filtering-centric consumer firewalls.

Second, I will next interpret IPS to mean 'active-network-traffic-only-IDS'.

For the vast majority of firewall which include an IDS that claims protective ability, an 'active action' to prevent an attack almost never occurs, the IDS is mainly passive. Here are two reasons for this:
1) Most (active) IDS systems are signature based. A signature may consist of multiple packets. If any of these are blocked by the firewall the signature does not match and the attack attempted will fail.
2) Some 'attacks' can not really be 'actively denied' just in how they occur (networking concepts). I don't have a good example here. A poor example I will give would be 'Denying incoming pings but 'allowing outgoing replies' as opposed to 'allowing incoming pings but 'denying outgoing replies'

Third, when term IPS is applied to include 'non-network-packet-specific' protection (like Prevx I believe) this often means anomaly based IPS protection mechanisms. Anomaly IPS schemes require an extended period of inital 'learning'. After this 'learning' has finished they can be quite effective. However, they are only effective if you use your computer in a very consistent manner and any malware does not replicate this behaviour. Anomaly based IPS systems are not very effective if your configuration changes constantly.

Fourth, Peerguardian is an application which simply blocks incoming/outgoing packets which match an IP in a blocklist (which by default includes all kinds of spyware companies, RIAA affiliates etc). ProcessGuard was originally made to simply protect specified applications from ~9 different termination attempts. Then it added 'features' that included detection of common keylogger techniques (global hooks etc).

Fifth, the difference between a sandbox and an IPS is quite different.
A typical application sandbox allows a user to specify by prompt or list what applications can run and what process calls they can make.
A typical IPS (whatever your definition of it) matches 'attacks' by signature or by alerting when a (large) anomaly has occured from previously 'learned' usage.

Sixth, most firewalls with some (active) network IDS capability built in nearly always give the IDS priority for all detected signatures over the firewall rules. This behaviour can make using an firewall with an inbuilt IDS quite a waste of time.
My favorite example is the 'Cyberkit-generated ping' snort signature (probably common in any non-snort based IDS as well).

This is classified as a 'low priority attack' in the snort database.

In most firewalls with an IDS, if you explicitly allow incoming pings yet your IDS is also running these type of machine generated (not always Cyberkit generated) pings will be denied.

Lastly, someone mentioned the 'false positives' in Kerio 4x (sorry I can't resist bashing them). The problems that the the poor people at whitehats.com have had to put up with provide yet another reason why I think an IDS should not be include in personal consumer firewalls. In Kerio 4x (and I suppose many other vendors do the same thing) there were at least 3 columns in the IDS log - signature, severity (high, low medium) and reference website (eg http://www.whitehats.com/info/IDS154). Although it wasn't (perhaps still isn't) spelled out that www.whitehats.com were not the source of the so-called attack.

Well you can guess what clueless users did when they saw 'Cyberkit-generated ping' and www.whitehats.com in their IDS log.
https://www.wilderssecurity.com/showthread.php?p=163726&post163726

Not only that but Kerio programmers then swapped the source ip and information source in subsequent versions. Hence, the home page of http://www.whitehats.com/ continues to have the same message concerning Kerio users to this very day.

 

Nice one, great explanation. So your would you say that it's ever worth using an IDS, Ghost?

 

I would say yes, there are benefits with regard to signature based IDS/IPS network systems in the corporate environment but none really for the home user. In a corporate environment a signature based IDS can be very useful in determining what is normal and what is not, without constant monitoring. With some software IDS systems like snort the ability to make your own signatures can be very important in detecting 0-day exploits once you have identified that they are occuring, but before any 'official' signature has been released. But with home consumer firewalls where the default setting is 'stealth' anyway, if you get my drift, an IDS is just there for pretty pictures and mostly for firewall vendors to advertise just how much their firewall is 'blocking'. (Even though without the (mostly passive) IDS your firewall would be doing that anyway).
With regard to firewall-IDS combinations a related question is where to put the (passive) IDS sensor - in an unfiltered network segment or filtered one. (The snort FAQ has a good discussion from the experts on this).

 

I forgot to mention that one of the products mentioned in that paper is leaning more towards DPI territory rather than the strict IPS definition.

You can think of (hardware) DPI as full SPI, packet-filtering and active signature IDS rolled into one cluster, in which it is really difficult to separate the device behaviour into these separate components. As opposed to most firewall-IDS software products, which are more of a linear (semi-active) IDS then-firewall-packet filter progression of packet checking.

 

I have a query. When you mentioned earlier about the self-learning capabilities of such IDS tools, how is the learning cycle implemented? What I mean is, do the IDS systems wait for a malicious attack before they can log that it actually is a malicious attack? If so, then IDS only really works after the initial form of attack has occured and only afterwards can it be of any deterrance. If not, then I'm still miffed as to how it bounces unknown strings of malicious code/packet flow.

p.s. Good luck with the Personal Firewall project.

 

Hi,

Well...it seems that Yahoo has found an answer to his question on Wilders' forum.
And it appears that we're all agree that an IDS is not necessary on a single computer (heavy for the system, false positive, hard to configure for classical users etc).

An advanced firewall (PortsLock, Injoy), or one which integrated a very basic IDS (BlackIce, Kerio...) or a firewall which considers potential attacks (Look'n Stop) is really enough.

Against some network attacks (like Syn Flood), we can hard TCP/IP parameters, manually or by using some tools (ZigStack, HardenIt): here's a thread about the subject:

https://www.wilderssecurity.com/showthread.php?t=61767

Regards

 

That's a good question. I'm guessing with something like Prevx, you continue 'learning mode' by continuing to see prompts for new behaviour. In this sense you could say that a anomoly-based, active IPS could include all of the sandbox capabilities but an application sandbox would not touch network behaviour whereas an IPS might. So perhaps I was completely wrong in my classification of IPS systems as completely different to application-sandboxes.

One thing should be brought up here. The way most protective software works, you could say that the packet could be allowed/the program process allowed to proceed in a sense, but the action is added to a inactive-queue while processing is done, and the software protection decides whether to pass the packet onto the kernel or interface. (Or allow the process call to proceed by passing it to the kernel). So, it's never a case of the action being stopped completely before any sequence of events leading up to the one in question (a malicious one) occurs. It just means it is halted while a decision is made. (I hope this makes some semblance of sense)

 

Yeah sure, it makes a load of sense. That's a theory that could possibly be the reality - it's pretty logical in this case that it could be put into a 'quarantine' queue, as such.

 

Great explanation, Ghost! It helps me a lot.

 

I think it's also useful to know just how IDS/IPS compliments a traditional firewall. Keep in mind that the terms "Intrusion Detection System", "Intrusion Prevention System", and "Firewall" are constantly changing and evolving themselves; so there are some increasing areas of overlap, yet nevertheless there was an initial purpose behind each.

The best way to view it, IMHO, is simply that traditional firewalls were layer-3 devices. They would protect you against pretty much everything up to that point; meaning that network attacks like malformed packets and SYN floods/sweeps were generally guarded against, as well as the firewall guarding against unsolicited/unwanted IP source, destination, and service port packets. But, here's the rub, what about those services and ports that you do want open? Say you really are running a web server and need to let inbound port 80 traffic in? If you have a firewall screening out everything but port 80 are you necessarily in great shape? Of course not. Port 80 traffic could include all sorts of application layer malicious attacks. That's where IDS/IPS really comes into play... guarding against application layer attacks. Sure, they have signatures and protocol-anomaly detection for most of the lower level stuff as well, but for most people that are screening all that junk out with a firewall, detection with an IDS/IPS isn't really that important.

So, is IDS/IPS important or useful at the individual host level? Well it depends upon what that host is doing. If that host has pretty much every inbound port/service disabled anyway... then, no, an IDS/IPS isn't going to be of much use. However, if your host is running a web server or an ftp server, or otherwise has some open services in a listening state, then having an IDS/IPS layer of protection might be useful. A host-based IDS/IPS system might catch application layer malicious packets taking advantage of vulnerabilities in one of your open services that a firewall otherwise wouldn't have caught.