E-Guidedocs.media.bitpipe.com/io_25x/io_25953/item_405237...E-Guide IDS vs. IPS When it comes to...
Transcript of E-Guidedocs.media.bitpipe.com/io_25x/io_25953/item_405237...E-Guide IDS vs. IPS When it comes to...
E-Guide
IDS vs. IPS
When it comes to intrusion detection systems (IDS) and intrusion
prevention systems (IPS) it’s not always easy for organizations to
determine what functions each can be used for. This expert tip
compares the features and capabilities of IDS and IPS technologies
and highlights popular use cases for each system.
Sponsored By:
SearchSecurity.com E-Guide
IDS vs. IPS
Sponsored By: Page 2 of 8
E-Guide
IDS vs. IPS
Table of Contents
IDS vs. IPS: How to know when you need the technology
Resources from Sourcefire
SearchSecurity.com E-Guide
IDS vs. IPS
Sponsored By: Page 3 of 8
IDS vs. IPS: How to know when you need the technology
By Jennifer Jabbusch, Contributor
For many organizations, one of the most difficult tasks when it comes to intrusion detection
system (IDS) and intrusion prevention system (IPS) considerations is simply understanding
at what point they need one and what functions they could be used for. With all the options
on the market for firewalls, application firewalls, unified threat management (UTM) devices
and anomaly detection and intrusion prevention, it's hard to pick apart the features and get
a handle on which devices are the most appropriate for specific functions.
An organization may also be investigating whether it can replace an IDS with an IPS, or if it
needs to implement and maintain both for full protection. There's often a fine line between
layered security and misappropriated efforts. In this tip, which compares IDS vs. IPS, we'll
cover what types of basic features and protections IDS or IPS systems offer, the difference
between IDS and IPS in practical application and a few popular use cases for the
technologies.
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance
that monitors for unauthorized or malicious network activity. Using preconfigured rule sets,
an IDS can inspect the configuration of endpoints to determine whether they may be
susceptible to attack (this is known as host-based IDS), and also can record activity across
a network and compare it to known attacks or attack patterns (this is called network-based
IDS). The technology, which has been around for many years, is sold commercially with
various bells and whistles, including superior signatures, but free, open source IDSes like
Snort and OSSEC are also popular.
An IPS, conversely, can not only detect bad packets caused by malicious code, botnets,
viruses and targeted attacks, but also can take action to prevent that network activity from
causing damage. Even if you feel your network isn't a worthy target, know that many
criminals use automated scans to probe the Internet and rattle every door knob so they can
SearchSecurity.com E-Guide
IDS vs. IPS
Sponsored By: Page 4 of 8
catalogue vulnerabilities for later use. These attackers may be after specific sensitive data
or intellectual property, or they may be interested in whatever they can get their hands on,
such as employee information, financial records or customer data.
A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it
can cause damage. For example, let's say an attacker managed to slip a Trojan into your
network. The malicious code may have made it in, and may be sitting quietly, waiting. It's
benign in this state, but is a serious threat when activated. With the right intrusion
detection in place, when the attacker tries to activate the malicious code, an IDS or IPS
would identify the activity and spring into action, either to alert of or prevent the attack.
It's quite likely this type of attack would go completely unnoticed on a network using only a
traditional firewall that's monitoring basic connection states. It might also slip past an
anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference
between these technologies and intrusion detection and prevention is that IDS/IPS conducts
more in-depth packet inspection, analyzing not only where a packet came from and where
it's heading, but also its contents to determine if they would compromise a system. That
data is key in determining whether a packet's characteristics match what's considered
unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS
technologies can more intelligently dangerous payloads, even when an attacker may employ
malformed or out-of-order packets to disguise an attack.
IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and
IPS are separate, sustainable technologies, or whether IDS is a withering technology that
should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the
former; there are specific use cases for an IDS system, such as when infosec pros need to
identify an attack or vulnerability but take no action on it. The most obvious uses cases for
this type of detection are situations in which it is not desired to stop the attack (when
collecting data or watching a honeypot), in situations where security teams don't have the
authority to stop an attack (if it's not our network we're observing) and lastly, in situations
where we want the visibility of detection logs, but favor availability over security. A good
example of this would be a manufacturing organization that can't afford to sever
SearchSecurity.com E-Guide
IDS vs. IPS
Sponsored By: Page 5 of 8
connections with key production partners. In this case, a business decision may be made to
sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is
best for organizations that want to detect and stop or prevent an attack, which should be
the majority of enterprises because of its ability to proactively protect critical assets, while
an IDS only indicates that an attack may be in progress; additional action is needed on the
part of administrators to actually prevent it from happening.
Let's look at a couple problem scenarios and how IDS and IPS technologies can respond to
them.
Addressing known vulnerabilities
Organizations with myriad applications and host types may find that a combination of
predefined and custom rules will also provide a stop-gap to address shortcomings within an
application or business process. If an enterprise has a system that can't be patched for a
particular vulnerability without disrupting another host function, an IPS may be the next
best thing, as an appropriate IPS rule set could serve as a point of protection against the
known vulnerability before it reaches that server.
The ability of IDS and IPS to simulate the response of a host gives it the unique capability to
catch, stop or alert on attacks that could have a negative effect on a protected server or
compromise its data. These solutions can be used at gateways between networks (much like
a firewall) or within the internal infrastructure positioned immediately in front of the
protected resources. A gateway or outward-facing approach would be recommended when
the intent is to protect a Web server or other Internet-accessible application or device from
external attack, while internal use is best for protecting specific high-value assets, such as
mission-critical application servers, from malware that finds its way onto trusted endpoints
or even from insider attacks.
Correlation data
Popular IDS and IPS devices offer extremely comprehensive logging and data collection.
Even without actionable alerts, the data gleaned from these devices and sensors throughout
the network can be used for event correlation and network forensics in a post-attack
SearchSecurity.com E-Guide
IDS vs. IPS
Sponsored By: Page 6 of 8
scenario. If, for example, a series of key production servers were found to be compromised
or even under visible attack, an organization with IDS and IPS in the environment would
have a huge advantage when trying to pick apart the events that led to the compromise.
This type of data is critical for analysis during and after attacks and can help an organization
with both incident response and compliance audits.
Conclusion
Intrusion systems, like anything else, are put in place to serve a business purpose and meet
an objective. These are just a few of the most common uses cases for IDS and IPS to
provide a foundation for understanding whether this type of technology meets a need your
organization has. If your environment hosts critical systems, confidential data or falls under
the purview of strict compliance regulations, then it's a great candidate for IDS, IPS or both.
By reviewing the use cases above, you can determine whether your organization may
benefit from the features of intrusion prevention.
About the author:
Jennifer Jabbusch is a network security engineer and consultant with Carolina Advanced
Digital, Inc. Jennifer has more than 15 years experience working in various areas of the
technology industry. Most recently, Ms. Jabbusch has focused in specialized areas of
infrastructure security, including Network Access Control, 802.1X and Wireless Security
technologies.
SearchSecurity.com E-Guide
IDS vs. IPS
Sponsored By: Page 8 of 8
Resources from Sourcefire
Secure Your Networks in 30 Minutes with Sourcefire's IPSx
Sourcefire Firepower Provides Unmatched Security Performance with Universal
Security Architecture
Download a Free Copy of Sourcefire's eBook Intrusion Prevention Systems for
Dummies
About Sourcefire
Sourcefire, Inc. (Nasdaq: FIRE), SNORT® creator and open source innovator, is a world
leader in Enterprise Threat Management (ETM) solutions. Sourcefire is transforming the way
Global 2000 organizations and government agencies manage and minimize network security
risks with its 3D Approach - Discover, Determine, Defend - to securing real networks. The
Sourcefire 3D System is the first to unify IPS, NBA, NAC and Vulnerability Assessment
technologies under the same management console. This ETM approach equips customers
with an efficient and effective layered security defense - providing protection before, during
and after an attack. Through the years, Sourcefire has been consistently recognized for its
innovation and industry leadership - with more than 30 awards and accolades. For more
information about Sourcefire, please visit our website.