• 1
    1
    1
    1
    1
    (6)
  • 6 comments
  •  
  • share
  • print

FYI

IDS vs. IPS Explained

By Focus Editors

Layered security is the key to protecting any size network, and for most companies, that means deploying both intrusion detection systems (IDS) and intrusion prevention systems (IPS). When it comes to IPS and IDS, it’s not a question of which technology to add to your security infrastructure – both are required for maximum protection against malicious traffic. In fact, vendors are increasingly combining the two technologies into a single box.

At its most basic, an IDS device is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services, data-driven attacks on applications, host-based attacks like unauthorized logins, and malware like viruses, Trojan horses, and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection, and stateful protocol analysis.

The IDS engine records the incidents that are logged by the IDS sensors in a database and generates the alerts it sends to the network administrator. Because IDS gives deep visibility into network activity, it can also be used to help pinpoint problems with an organization’s security policy, document existing threats, and discourage users from violating an organization’s security policy.

The primary complaint with IDS is the number of false positives the technology is prone to spitting out – some legitimate traffic is inevitable tagged as bad. The trick is tuning the device to maximize its accuracy in recognizing true threats while minimizing the number of false positives; these devices should be regularly tuned as new threats are discovered and the network structure is altered. As the technology has matured in the last several years, it has gotten better at weeding out false positives. However, completely eliminating them while still maintaining strict controls is next to impossible – even for IPS, which some consider the next step in the evolution of IDS.

The IPS Advantage

At its most basic, an IPS has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they’re sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.

In addition, an IPS can respond to a detected threat in two other ways. It can reconfigure other security controls, such as a firewall or router, to block an attack. Some IPS devices can even apply patches if the host has particular vulnerabilities. In addition, some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.

Twice the Protection

Because IDS and IPS devices sit in different spots on the network, they can – and should – be used concurrently. An IPS product installed at the perimeter of the network will help stop zero day attacks, such as worms and viruses, in their tracks – even the newest threats can be blocked with rigorous tuning. An IDS product installed inside the firewall will monitor internal activity, guarding against the ever-present insider threat, and lend greater visibility into security events, past and present.

Choosing a product that offers both technologies can be the most cost-effective and efficient approach. “With one device that does IDS and IPS, you can enable IDS on part of the network and enable IPS on a different part. It’s almost a virtual device,” says Sanjay Beri, senior director of product management at Juniper Networks, a network infrastructure vendor based in Sunnyvale, Calif.

Was this fyi helpful? Rate it:
1
1
1
1
1
(6)

6 Comments

Add a comment

Posted on March 20, 2010
Quan Van

Can you help me comparisons between the IDS and IPS?

Posted on May 10, 2010
Ed

Would you consider Tripwire Enterprise to be an IDS solution or an IPS solution? I particularly think of TE as an IDS, but would like to know if it could be used as an IPS solution as well.

Posted on May 18, 2010
john mcdowell

Assuming you having a security team as well as a network team, which is best suited to manage an IPS/IDS System ?

Posted on May 18, 2010
john mcdowell

assuming you have both a security team and a newtork team, which is best suited to mangage an IPS?IDS System?

Posted on June 7, 2010
GxG

@Ed : TE is essentially an IDS with very very very very basic IPS capabilities.

@John McDowell : the network team should place the devices on the best network segments considering the possibility of intrusions, but the security team should configure the devices considering the network team instructions(for port scanning, packet scanning, port blocking etc.)

Nice article, it just lacks some examples or stats... like CISCO which makes some good IDS/IPS's or Juniper which is the current market leader.

Also these kind of systems can be implemented via a "buffer" router between the internet and the intranet using software for scanning and blocking eventual attacks, or using software that runs on each computer on the network(but this reduces dramatically the performance of each computer and once broken through it can be disabled)

Posted on June 28, 2010
Wavebourn

Marketing people are actually more creative than Engineers: suppose people ask you about some fancy sounding names and acronyms, you answer honestly that you don't know what they are talking about, to discover later that they were asking about some known since Stone Age things that recently were renamed for better sales figures.

...what is bad, that people who ask such questions are recruiters who know nothing about technical things, but have their Q/A papers. Or potential customers who read smart magazines.

Why I am here, on this page? Because today a recruiter asked me what is IDS vs IPS. and I did not qualify, despite I used to build more secure and intelligent systems than most of modern ISPs have back in 1991 when we just started building Internet, being enthusiasts, unlike modern highly commercialized undergraduates.

Add a comment

*  
*  

Focus reserves the right to delete inappropriate comments. Please see our Terms & Conditions to learn more.

* required
Follow Focus

BEST OF FOCUS RESEARCH

Check out the research that readers are downloading most often.

2010 Enterprise Phone Systems Comparison Guide

Updated for 2010! Take the guesswork out of selecting an enterprise-class phone system with our comprehensive Comparison Guide.

See more about Phone Systems

Cisco vs. ShoreTel: Who Really Delivers Value for Large Enterprise Companies?

Get the side-by-side comparison of industry’s leading Enterprise PBX solutions and vendors. Our Focus product specialists evaluated big players, like Cisco Systems and ShoreTel, across various feature categories.

See more about Phone Systems

2010 Enterprise Phone Systems Buyer’s Guide

Our updated Buyer’s Guide will help you fully understand both your business phone system needs as well as the purchase process.

See more about Phone Systems

Focus Newsletter
Get the latest research and advice from
Focus delivered right to your inbox.