How is IPS/IDS src/dst system different from NAT?

[OpenSource Ghost]

There are parts of Suricata IPS/IDS that inspect packet content and block malicious IP's. I can how both of those are useful, but another part of Suricata IPS/IDS is addition of 2 filters ("src,src,dst" & "dst,dst,src") to IPTables INPUT and FORWARD. Based on Suricata documention (or my poor understanding of it), those 2 rules simply match sources and destinations. Shouldn't NAT do that on its own without any need for IPS/IDS?

Am I correct to understand that mailicous IP blocking and source/destination parts of IDS/IPS can function without DPI? On my network, DPI detects 99% of content as "Unknown" and the other 1% as "SSL/TLS" because almost everything is encrypted via VPN. I am not sure if IDS/IPS is even useful such a situation.

 

[iroc409]

It's been a while since I've run any sort of IPS/IDS (or researched it), so some of my info might be out of date. Intrusion detection is totally separate of NAT. As you say, NAT is comparing origin and destination, translating to keep all the traffic together, and dropping traffic that doesn't match. Intrusion detection is looking for traffic patterns. As in, a very specific attack against a Microsoft IIS, or a browser attack that only works on Opera in Mint Linux, or an old Apache attack on an old version of RHEL.

Overall, IPS/IDS is useless for most home users--and as you note for what is now mostly encrypted traffic. At that point without MITM inspection all it can look at is the headers. IPS is tough even for corporate users if it's just an idle set of rules. IDS really shines when you have an active security team that knows the network intimately and can identify unusual traffic. There are of course lists out there for IDS like paid rulesets and community rules that you & I write, but they are only good for each specific instance. A really good ruleset that protects all your Windows machines at home doesn't do any good if you don't have any Windows machines, and may hinder legit traffic. That sort of thing.

IP blocking can be a component of IDS, but it's not exclusive to it--so it can be done without DPI. Depending on what you're using, you can block IPs through your firewall, or you can use DNS blocking, etc. I wouldn't do it unless you're using an actively managed list, but you can use IP blocking to block entire global regions (for example).