Unlocking Network Visibility: The Role of IDS in Today’s Security Landscape

In today’s rapidly evolving threat landscape, protecting your network is more crucial than ever, and deploying an Intrusion Detection System (IDS) is a powerful strategy to gain comprehensive visibility.  

To illustrate, imagine your network as a club full of activity. A web application firewall (WAF) acts like a bouncer, monitoring entry, while the IDS serves as the surveillance system, capturing every interaction across your environment.  

In this blog, we explore the strengths and limitations of IDS in various deployment scenarios, addressing common business use cases and traffic visibility challenges.  

Where IDS Excels

While a WAF blocks incoming network traffic based on policies that provide a preliminary filter, an IDS offers deeper visibility. It monitors actual requests and responses, detects web shells, and flags malicious connections between servers. It can even inspect DNS traffic and certificates. Many compliance frameworks, such as PCI DSS Requirement 10, mandate this level of monitoring.  

Many threat detection programs focus on logs and neglect to include network traffic monitoring and analytics. Network traffic offers visibility that logs alone cannot provide excelling in the following use cases: 

• Application attack detection  

• Lateral movement detection 

• Command and control communication detection 

IDS also offers agility when writing custom detections; you can write a rule to detect indicators all the way to layer 7 of the open systems interconnection (OSI) model, while logging configurations come with source specific limitations. 

Overall, we advocate for combing as many telemetry sources as possible, as broad visibility and cross correlation give security teams the best opportunities to catch threats early. 

Where Should an IDS Live?

An IDS can inspect any activity happening in the network it’s deployed in, both north-south (packets sent to or received from external entities) and east-west (internal host-to-host or cloud-to-cloud) traffic. Typically, the network perimeter should be our primary focus, as every attacker must initially cross it. We recommend monitoring the traffic of any network with externally facing resources using an IDS. However, a few common caveats need to be considered when following this guidance.

Why is it north-south and east-west traffic?

The terms north-south and east-west in network lingo have their roots in classic network diagrams. In these diagrams, traffic within the local area network (LAN) flows horizontally, while traffic that leaves the network and heads for the outside world moves vertically — often passing through the DMZ before reaching the internet. So, applying the directions just as you would on a geographic map, north-south became shorthand for traffic moving in and out of the network, while east-west refers to traffic moving between internal assets. This directional language has stuck around, adding a touch of geography to our digital highways.

What to Expect from an IDS

Encrypted traffic

To enable a intrusion detection system to decrypt most traffic, our customers can upload their certificates and keys to our platform. However, traffic encrypted with perfect forward secrecy cannot be decrypted by the IDS, as the keys constantly change. In cases where threat detection needs to be prioritized over data privacy, we recommend terminating the encrypted session at an intermediary, such as a load balancer or firewall, and re-encrypting using a non-PFS standard allowing the IDS to monitor the encrypted packets. 

WAF and IDS

When deploying both a WAF and an IDS, a common challenge arises: Traffic blocked by the WAF may still trigger incidents on the IDS. To avoid this, we recommend placing the IDS behind the WAF, ensuring that blocked traffic is filtered out before it reaches the IDS to reduce unnecessary noise.

NATs, load balancers, and firewalls

For any traffic that may involve altering or masking the source IP, we recommend appending X-Forwarded-For headers to aid in attribution. 

Data transfer costs

Cloud environments accrue various charges based on how and where data travels. Whether between availability zones, regions, etc., we recommend weighing the cost of running an IDS appliance in your cloud networks against the expected throughput in cases where these costs apply. If the cost is higher than your expected data transfer costs, you can always use cross-network protection to ship that traffic to an existing IDS in another network. 

TCP multiplexing

Much of modern web traffic consolidates multiple HTTPS sessions into single TCP sessions, which complicates the task of an IDS in identifying individual conversations, attributing messages, and forming a coherent threat narrative. Unfortunately, there isn’t a straightforward solution to this challenge from an IDS perspective. However, we still recommend deploying an IDS in these environments to capture any detectable activity, and you can enhance your monitoring efforts by leveraging our Web Log Analytics suite.

Network SPAN

On-premises networks can configure a SPAN port to send traffic directly to the IDS. It’s essential that the traffic remains completely unaltered — no additional encapsulation, TCP resets, or other modifications should be applied.

When to Consider Alternatives

There are certain areas within your network where an IDS may be less effective than other solutions, such as EDR or logging. Consider the costs and benefits of IDS for your specific environment or let Alert Logic know and we can provide advice. 

User workstations

With the rise of remote work, attributing IDS traffic to agents installed on individual workstations presents new challenges. Users alternate between being in the office, on a VPN, or on their home networks, making it difficult to consistently correlate IP addresses and construct a cohesive threat narrative. Additionally, if any of these IPs are on unscoped networks, we risk missing visibility altogether. 

Another issue is the impact on traffic load: Agents mirror network traffic to send it to the IDS, which can saturate the VPN link and cause performance degradation, impacting the user experience and potentially reducing network efficiency. 

Container environments

In environments with containerized workloads, it can be difficult to attribute traffic to the correct source IP and understand its place in the larger conversation. Because of this, we recommend configuring your containerized web servers to utilize X-Forwarded-For headers for proper source attribution.

Passive DR environments

We occasionally receive questions about using IDS in a disaster recovery (DR) environment. However, we believe IDS may not be the best choice for this use-case, as it carries the risk of temporarily losing traffic. In an active-active setup, IDS can theoretically function with minimal or no traffic loss during a DR event. But in an active-passive setup, there will be some delay while agents restart and reconfigure their traffic routes. This delay could lead to temporary lapses in network monitoring. 

Deploying an intrusion detection system is an essential step for businesses aiming to strengthen their network security and gain deep visibility into traffic across their environments. While an intrusion detection system brings many advantages, it’s essential to understand its strengths and limitations in various network configurations. By positioning an IDS strategically, businesses can maximize its benefits, especially when combined with a WAF to filter out malicious traffic beforehand. Gaining the benefits of the system requires solid placement and configuration, enabling it to become a powerful asset your network security strategy.

Ready to learn more about how an intrusion detection system can benefit your organization? Schedule an Alert Logic meeting today.