What is the Advantage and Disadvantage of Perimeter Intrusion Detection System

Network Intrusion Detection System (NIDS)

A network intrusion detection system (NIDS) can be an integral part of an organization’s security, but they are just one aspect of many in a cohesive and safe system. They have many great applications, but there are also weaknesses that need to be considered. It is important to compare an NIDS against the alternatives, as well as to understand the best ways to implement them.

Link to Raycom

What Is an Intrusion Detection System?

Intrusion detection systems are a lot like fire alarms. Just as a fire alarm detects smoke, an intrusion detection system idenitifies incidents and potential threats. They are incredibly useful for raising awareness, but if you don’t hear the alarm or react appropriately, your house may burn down.

While a firewall is there to keep out malicious attacks, an IDS is there to detect whether someone or something is trying up to suspicious or nefarious activity. When it detects something, it notifies the system administrator.

An IDS is a visibility tool that sits off to the side of the network and monitors traffic. It consists of a management console and sensors. When the sensors encounter something that matches up to a previously detected attack signature, they report the activity to the console. An IDS can notify security personnel of infections, spyware or key loggers, as well as accidental information leakage, security policy violations, unauthorized clients and servers, and even configuration errors.

Download Rapid7's Annual Vulnerability Intelligence Report ▶︎

Intrusion Detection Systems vs. Intrusion Prevention Systems (IPS)

An IPS is similar to an IDS, except that they are able to block potential threats as well. They monitor, log and report activities, similarly to an IDS, but they are also capable of stopping threats without the system administrator getting involved. If an IPS is not tuned correctly, it can also deny legitimate traffic, so they are not suitable for all applications.

Network Intrusion Detection Systems vs. Host Intrusion Detection Systems (HIDS)

An NIDS and an HIDS are complementary systems that differ by the position of the sensors: network-based (monitoring the ethernet or WiFi) and host-based, respectively. Because of this, their uses and deployment are quite different.

Network-based sensors have a quicker response than host-based sensors and they are also easier to implement. An NIDS doesn’t need to alter the existing infrastructure and they monitor everything on a network segment, regardless of the target host’s operating system. As they do not need software loaded and managed at the different hosts in the network, they have a lower cost of setup and ownership.

An NIDS can detect attacks that an HIDS will miss because it looks at packet headers in real-time. In saying this, an HIDS will also be able to pick up some things that an NIDS will miss, such as unauthorized users making changes to the system files. An HIDS monitors event and audit logs, comparing new entries to attack signatures. This is resource intensive, so your organization will need to plan for the additional hardware required.

Another benefit of an NIDS is that they detect incidents in real-time, meaning that they can log evidence that an attacker may otherwise try to erase. While the real-time detection abilities of an NIDS allow for quicker responses, they also turn up more false positives than an HIDS. Hybrid NIDS and HIDS solutions that combine aspects of both systems are also available and can be useful in different scenarios.

Pros of Network Intrusion Detection Systems:

They Can Be Tuned to Specific Content in Network Packets

Firewalls may be able to show you the ports and IP addresses that are used between two hosts, but in addition a NIDS can be tuned to show you the specific content within the packets. This can be used to for uncovering intrusions such as exploitation attacks or compromised endpoint devices that are part of a botnet.

They Can Look at Data in the Context of the Protocol

When an NIDS performs protocol analysis, it looks at the TCP and UDP payloads. The sensors can detect suspicious activity because they know how the protocols should be functioning.

They Can Qualify and Quantify Attacks

An IDS analyzes the amount and types of attacks. This information can be used to change your security systems or implement new controls that are more effective. It can also be analyzed to identify bugs or network device configuration problems. The metrics can then be used for future risk assessments.

They Make It Easier to Keep Up With Regulation

Because an IDS gives you greater visibility across your network, they make it easier to meet security regulations. You can also use your IDS logs as part of the documentation to meet certain requirements.

They Can Boost Efficiency

Because IDS sensors can detect network devices and hosts, they can inspect the data within the network packets and identify the services or operating systems that are being utilized. This saves a lot of time when compared to doing it manually. An IDS can also automate hardware inventories, further reducing labor. These improved efficiencies can help to reduce an organization’s staff costs and offset the cost of implementing the IDS.

Cons of Network Intrusion Detection Systems:

They Will Not Prevent Incidents By Themselves

An IDS does not block or prevent attacks, they merely help to uncover them. Because of this, an IDS needs to be part of a comprehensive plan that includes other security measures and staff who know how to react appropriately.

An Experienced Engineer Is Needed to Administer Them

An IDS is immensely helpful for monitoring the network, but their usefulness all depends on what you do with the information that they give you. Because detection tools don’t block or resolve potential issues, they are ineffective at adding a layer of security unless you have the right personnel and policy to administer them and act on any threats.

They Do Not Process Encrypted Packets

An IDS cannot see into encrypted packets, so intruders can use them to slip into the network. An IDS will not register these intrusions until they are deeper into the network, which leaves your systems vulnerable until the intrusion is discovered. This is a huge concern as encryption is becoming more prevalent to keep our data secure.

IP Packets Can Still Be Faked

The information from an IP packet is read by an IDS, but the network address can still be spoofed. If an attacker is using a fake address, it makes the threat more difficult to detect and assess.

False Positives Are Frequent

One significant issue with an IDS is that they regularly alert you to false positives. In many cases false positives are more frequent than actual threats. An IDS can be tuned to reduce the number of false positives, however your engineers will still have to spend time responding to them. If they don’t take care to monitor the false positives, real attacks can slip through or be ignored.

They Are Susceptible to Protocol Based Attacks

An NIDS analyzes protocols as they are captured, which means that they face the same protocol based attacks as network hosts. An NIDS can be crashed by protocol analyzer bugs and also invalid data.

The Signature Library Needs to Be Continually Updated to Detect the Latest Threats

An IDS is only as good as its signature library. If it isn’t updated frequently, it won’t register the latest attacks and it can’t alert you about them. Another issue is that your systems are vulnerable until a new threat has been added to the signature library, so the latest attacks will always be a big concern.

In the last couple of years, the use of buried sensor for perimeter intrusion detection system, becomes very popular due to the advantage of been a discreet or even an invisible detection system and avoiding the need to build an above-the-ground fence to protect the perimeter due to costs or environmental reasons.

Buried Perimeter Intrusion Detection Systems are used to protect (among others)

• Borders
• Oil & gas pipelines and facilities
• Military bases and other land facilities
• Airports and seaports
• Prisons
• Farms
• Airports

Underground Intrusion Detection Systems Advantages

• Invisible system, the intruders can’t see the underground intrusion detection system
• No need to build anything above ground level
• No need for line of sight as required by some security products such as radars, Microwave, IR and video systems.
• Quick and easy installation (in some cases especially SensoGuard’s Invisifence)
• Easy maintenance (in some cases especially SensoGuard’s Invisifence )

Three types of Buried Perimeter Intrusion Detection Systems

There are several systems based on different technologies for creating buried intrusion detection system.

• Seismic sensors system– seismic sensors are buried underground and by recognizing vibrations in ground, they detect and locate intrusions. In this article we focused on invisiFence by SensoGuard as the ultimate seismic sensors system.
• Leaky coax system –the buried leaky coax cable creates an electromagnetic volumetric detection field. The controllers monitor this field to detect and locate variation caused by intrusion.
• Fiber Optic system– central controller transmits pulses of signal and analyzes the reflections and disturbances to detect and locate intrusions.

We will focus on the following subjects when comparing the three: performance, installation requirements, limitations and costs.

Systems Topology Description

• SensoGuard Seismic Buried Perimeter System (InvisiFence) composed of seismic sensors strings connected to a local processing unit every 50m and a central hub unit every m.
• Fiber optic systems- composed of a central controller which can analyze a very long fiber optic cable (up to 80km).
• Leaky coax system- composed of leaky coax cables connected to a local controller every 400m (for single cable).

Buried Perimeter Intrusion Detection Systems Installation Considerations and Limitations

All buried systems require digging a trench for placing sensors/cable. However, limitations regarding installation environment and installation depth are different from one system to another.

1. Seismic Buried Perimeter System (SensoGuard’s InvisiFence)
   The trench depth is 30-50cm (precise depth is not an issue, can be anywhere between 30cm and 3m)
2. Fiber Optic system
   Installation depth accuracy is a critical (no more than 20cm)
   If installed deeper (30cm for example) the system performance will be greatly reduced.
   Shallow installation increases the possibility that cable will be exposed over time (due to environmental elements such as wind) or the detection performance will be poorer overtime if additional soil or vegetation will be added or grown above ca
3. Leaky Coax cable
   • Installation depth accuracy is critical. The system’s performance will be compromised if the cable is placed deeper than recommended (23cm for example). Shallow installation increases the possibility that cable will be exposed over time.
   • System cannot be placed near metal objects – such as metal fences or metal pipes.
   • Water / snow above the system will cause false alarms. The RF signal cannot bypass water/snow, resulting in poor system performance and false alarms in case of puddles or snow on the ground.

Maintenance after Installation

Among the 3 technologies, the fiber optic system is the most complex system to repair in case of fault. Fiber optic cable replacement is a very sensitive process and there is always the chance of additional mechanical damage during the repair.

Leaky coax systems are easier to repair than optic fiber systems but harder to repair compared to SensoGuard’s InvisiFence. Not always easy to find the faulty point and required to keep the installation requirement and drainage.

All of SensoGuard invisiFence components are replaceable easily and quickly.

Leaky coax systems require periodical calibration due to changing condition of soil above the system. The changing conditions will affect the system sensitivity and false alarm rate. In contrast, SensoGuard buried perimeter system doesn’t require periodic calibration after installation.

System Costs

For projects of several km – SensoGuard buried perimeter system and leaky coax are cheaper than fiber optic system.

For projects above dozens of km – fiber optic system is the cheapest option.

InvisiFence is cheaper for projects of less than 2km.

Performance & False Alarms

All three perimeter security systems: SensoGaurd’s Invisifence, the leaky coax system and fiber optic cable system are buried systems that detect above the ground movement. However, Invisifence does stand out as the most reliable one for three reasons. The first, the actual depth of Invisifence can be anywhere between 30cm-3m without any decrease in the system’s performance. That means that you can bury the system deeper or in case soil will be added (in desert, or after a storm), the system will continue to function without any problems.

In contrast, Leaky coax and fiber optics systems are very much affected by depth. If you bury them too close to the ground or deeper than advised, their performance will be greatly compromised. Secondly, InvisiFence is less affected by environmental changes. While Leaky Coax and fiber optic systems may set off false alarms in case of puddles or growing vegetation, InvisiFence seismic system will by far more reliable and will not set off false alarms in such cases.

Lastly, InvisiFence has smart adaptive deep-learning algorithm. By using the algorithm, the system constantly learns and adjusts to its environment. The system constantly sets a new signature of what is the “normal” state of things in order to detect intrusions and avoid false alarms. Based on environmental changes such as new road or vegetation, the normal state signature is always revised. InvisiFence is the only system which makes the needed adjustments to detect threats without the need of making any external changes.

Perimeter Intrusion Detection: Comparison between 3 Systems Seismic, Fiber Optic and Leaky Coax

Summary: Which Underground Perimeter Intrusion Detection System is preferred?

In one sentence, SensoGuard seismic InvisiFence Plus system is the best choice of the three technologies.

Let’s look at it with more details. Fiber optic systems are more expansive and less reliable than Leaky Coax or seismic systems. So the choice is really between Leaky Coax systems and InvisiFence Plus seismic system.

InvisiFence Plus is far more reliable in terms of threat detection and avoiding false alarms. It is also easier to install which makes it superior to Leaky Coax systems.

As for costs, for securing perimeter of several km, InvisiFence Plus is cheaper than both Leaky Coax systems and fiber optic systems. However, in perimeters of above 10km, Fiber optics systems are cheaper.

SensoGuard’s  InvisiFence Plus is the best cost effective underground perimeter intrusion detection system in the market today.

Relevant Products: