E-Guide

IDS vs. IPS

When it comes to intrusion detection systems (IDS) and intrusion

prevention systems (IPS) it’s not always easy for organizations to

determine what functions each can be used for. This expert tip

compares the features and capabilities of IDS and IPS technologies

and highlights popular use cases for each system.

Sponsored By:

SearchSecurity.com E-Guide

IDS vs. IPS

Sponsored By: Page 2 of 8

E-Guide

IDS vs. IPS

Table of Contents

IDS vs. IPS: How to know when you need the technology

Resources from Sourcefire

SearchSecurity.com E-Guide

IDS vs. IPS

Sponsored By: Page 3 of 8

IDS vs. IPS: How to know when you need the technology

By Jennifer Jabbusch, Contributor

For many organizations, one of the most difficult tasks when it comes to intrusion detection

system (IDS) and intrusion prevention system (IPS) considerations is simply understanding

at what point they need one and what functions they could be used for. With all the options

on the market for firewalls, application firewalls, unified threat management (UTM) devices

and anomaly detection and intrusion prevention, it's hard to pick apart the features and get

a handle on which devices are the most appropriate for specific functions.

An organization may also be investigating whether it can replace an IDS with an IPS, or if it

needs to implement and maintain both for full protection. There's often a fine line between

layered security and misappropriated efforts. In this tip, which compares IDS vs. IPS, we'll

cover what types of basic features and protections IDS or IPS systems offer, the difference

between IDS and IPS in practical application and a few popular use cases for the

technologies.

IDS vs. IPS comparison: Scope of protection

For those who may not be familiar with the technology, an IDS is software or an appliance

that monitors for unauthorized or malicious network activity. Using preconfigured rule sets,

an IDS can inspect the configuration of endpoints to determine whether they may be

susceptible to attack (this is known as host-based IDS), and also can record activity across

a network and compare it to known attacks or attack patterns (this is called network-based

IDS). The technology, which has been around for many years, is sold commercially with

various bells and whistles, including superior signatures, but free, open source IDSes like

Snort and OSSEC are also popular.

An IPS, conversely, can not only detect bad packets caused by malicious code, botnets,

viruses and targeted attacks, but also can take action to prevent that network activity from

causing damage. Even if you feel your network isn't a worthy target, know that many

criminals use automated scans to probe the Internet and rattle every door knob so they can

SearchSecurity.com E-Guide

IDS vs. IPS

Sponsored By: Page 4 of 8

catalogue vulnerabilities for later use. These attackers may be after specific sensitive data

or intellectual property, or they may be interested in whatever they can get their hands on,

such as employee information, financial records or customer data.

A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it

can cause damage. For example, let's say an attacker managed to slip a Trojan into your

network. The malicious code may have made it in, and may be sitting quietly, waiting. It's

benign in this state, but is a serious threat when activated. With the right intrusion

detection in place, when the attacker tries to activate the malicious code, an IDS or IPS

would identify the activity and spring into action, either to alert of or prevent the attack.

It's quite likely this type of attack would go completely unnoticed on a network using only a

traditional firewall that's monitoring basic connection states. It might also slip past an

anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference

between these technologies and intrusion detection and prevention is that IDS/IPS conducts

more in-depth packet inspection, analyzing not only where a packet came from and where

it's heading, but also its contents to determine if they would compromise a system. That

data is key in determining whether a packet's characteristics match what's considered

unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS

technologies can more intelligently dangerous payloads, even when an attacker may employ

malformed or out-of-order packets to disguise an attack.

IDS vs. IPS: Differences between the two technologies

There are several schools of thought throughout the industry regarding whether IDS and

IPS are separate, sustainable technologies, or whether IDS is a withering technology that

should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the

former; there are specific use cases for an IDS system, such as when infosec pros need to

identify an attack or vulnerability but take no action on it. The most obvious uses cases for

this type of detection are situations in which it is not desired to stop the attack (when

collecting data or watching a honeypot), in situations where security teams don't have the

authority to stop an attack (if it's not our network we're observing) and lastly, in situations

where we want the visibility of detection logs, but favor availability over security. A good

example of this would be a manufacturing organization that can't afford to sever

SearchSecurity.com E-Guide

IDS vs. IPS

Sponsored By: Page 5 of 8

connections with key production partners. In this case, a business decision may be made to

sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is

best for organizations that want to detect and stop or prevent an attack, which should be

the majority of enterprises because of its ability to proactively protect critical assets, while

an IDS only indicates that an attack may be in progress; additional action is needed on the

part of administrators to actually prevent it from happening.

Let's look at a couple problem scenarios and how IDS and IPS technologies can respond to

them.

Addressing known vulnerabilities

Organizations with myriad applications and host types may find that a combination of

predefined and custom rules will also provide a stop-gap to address shortcomings within an

application or business process. If an enterprise has a system that can't be patched for a

particular vulnerability without disrupting another host function, an IPS may be the next

best thing, as an appropriate IPS rule set could serve as a point of protection against the

known vulnerability before it reaches that server.

The ability of IDS and IPS to simulate the response of a host gives it the unique capability to

catch, stop or alert on attacks that could have a negative effect on a protected server or

compromise its data. These solutions can be used at gateways between networks (much like

a firewall) or within the internal infrastructure positioned immediately in front of the

protected resources. A gateway or outward-facing approach would be recommended when

the intent is to protect a Web server or other Internet-accessible application or device from

external attack, while internal use is best for protecting specific high-value assets, such as

mission-critical application servers, from malware that finds its way onto trusted endpoints

or even from insider attacks.

Correlation data

Popular IDS and IPS devices offer extremely comprehensive logging and data collection.

Even without actionable alerts, the data gleaned from these devices and sensors throughout

the network can be used for event correlation and network forensics in a post-attack

SearchSecurity.com E-Guide

IDS vs. IPS

Sponsored By: Page 6 of 8

scenario. If, for example, a series of key production servers were found to be compromised

or even under visible attack, an organization with IDS and IPS in the environment would

have a huge advantage when trying to pick apart the events that led to the compromise.

This type of data is critical for analysis during and after attacks and can help an organization

with both incident response and compliance audits.

Conclusion

Intrusion systems, like anything else, are put in place to serve a business purpose and meet

an objective. These are just a few of the most common uses cases for IDS and IPS to

provide a foundation for understanding whether this type of technology meets a need your

organization has. If your environment hosts critical systems, confidential data or falls under

the purview of strict compliance regulations, then it's a great candidate for IDS, IPS or both.

By reviewing the use cases above, you can determine whether your organization may

benefit from the features of intrusion prevention.

About the author:

Jennifer Jabbusch is a network security engineer and consultant with Carolina Advanced

Digital, Inc. Jennifer has more than 15 years experience working in various areas of the

technology industry. Most recently, Ms. Jabbusch has focused in specialized areas of

infrastructure security, including Network Access Control, 802.1X and Wireless Security

technologies.

http://sourcefire.mktoweb.com/ipsx-demo-sem.html

SearchSecurity.com E-Guide

IDS vs. IPS

Sponsored By: Page 8 of 8

Resources from Sourcefire

Secure Your Networks in 30 Minutes with Sourcefire's IPSx

Sourcefire Firepower Provides Unmatched Security Performance with Universal

Security Architecture

Download a Free Copy of Sourcefire's eBook Intrusion Prevention Systems for

Dummies

About Sourcefire

Sourcefire, Inc. (Nasdaq: FIRE), SNORT® creator and open source innovator, is a world

leader in Enterprise Threat Management (ETM) solutions. Sourcefire is transforming the way

Global 2000 organizations and government agencies manage and minimize network security

risks with its 3D Approach - Discover, Determine, Defend - to securing real networks. The

Sourcefire 3D System is the first to unify IPS, NBA, NAC and Vulnerability Assessment

technologies under the same management console. This ETM approach equips customers

with an efficient and effective layered security defense - providing protection before, during

and after an attack. Through the years, Sourcefire has been consistently recognized for its

innovation and industry leadership - with more than 30 awards and accolades. For more

information about Sourcefire, please visit our website.