The Essential Guide to Intrusion Detection and Prevention Systems

Updated: April 30, 2009

Businesses that want to protect their networks from external attacks have a number of powerful tools at their disposal. Firewalls , for example, do a very good job of filtering and, in many cases, analyzing data packets to ensure that potentially destructive data is caught before it can do any harm.

But most companies that are really serious about keeping troublemakers off of their networks also employ a technology that is specifically designed to target the presence of potential attackers: IDPS (Intrusion Detection and Prevention Systems).

IDPS technology, which is formulated to work in conjunction with a firewall — a network's first line of defense — is comprised of two basic forms:

  • IDS (Intrusion Detection System): An IDS analyzes incoming data traffic for suspicious types of activity. If it detects something peculiar, the IDS alerts the network administrator, who can then move to halt whatever event is taking place. In some cases IDS systems can also kick off automatic events in other systems on the network to protect it.
  • IPS (Intrusion Prevention System): An IPS is similar to an IDS, except that the product is designed to take immediate action — such as blocking a specific IP address or user — rather than simply issuing an alert. Some IPS products also use behavioral analysis to spot and stop potentially dangerous data. An IPS is often described as a "reactive" system, as opposed to an IDS, which is typically considered to be "passive."

Both IDS and IPS products come in various configurations, each designed to address a particular intrusion-protection need. Here are some of the leading types of products currently available:

  • Network Intrusion Detection and Prevention: This is the most common use of IDPS technology, designed to provide network-wide protection. While it would be ideal on a very large network to insert a single IDS or IPS at the gateway in order to scan all traffic, such a design approach raises the possibility of creating a bottleneck that would degrade overall network performance. Therefore, in order to efficiently monitor traffic to and from all network devices, it's not uncommon to place IDPS systems at various strategic points within the network.
  • Host Intrusion Detection and Prevention: Businesses add these systems to individual critical hosts or devices residing on the network. This type of IDPS monitors both inbound and outbound packets — but only through the device with which it is associated.
  • Signature-Based Intrusion and Prevention: This type of IDPS is useful for detecting viruses and other types of malware . The product compares all of the packets that flow through it with a database of known threats. Like anti-malware offerings, a signature-based IDPS is only as good as the information it uses, meaning that technology is vulnerable to "zero day" security events. On the other hand, a signature-based IDPS is a very reliable way of defending a network against known threats, which constitute the majority of network perils.
  • Anomaly-Based Intrusion and Prevention: One could describe this kind of IDPS as being naturally suspicious. That's because an anomaly-based IDPS is always looking for something out of the ordinary. The system continuously scrutinizes network traffic and compares it against an established baseline. Any detected deviations from "normal" performance in terms of bandwidth use, ports accessed or devices connected will cause the IDPS to issue an alert and take proactive steps to ensure the network's health. This type of firewall can be particularly effective in helping business cope with DDoS (distributed denial of service) attacks, when large numbers of computers are recruited to join together and bring down a Web site.

IDPS Vendors

Vendors offer IDPS solutions with a variety of different capabilities, allowing businesses to find the product that most closely matches their requirements. Major IDPS vendors include:

  • Enterasys Networks Inc.
  • Cisco Systems Inc.
  • IBM Internet Security Systems
  • Juniper Networks Inc.
  • Network Chemistry

Businesses can also take advantage of various free IDPS offerings, including:

  • SNORT
  • Bro
  • Prelude Hybrid IDS
  • OSSEC
Related Categories
Featured Research
  • Baselining Best Practices

    IT must ensure new applications are rolled out quickly, reliably, and without risk, while at the same time guaranteeing performance and availability. Read this VirtualWisdom white paper to find out how to achieve application-aligned infrastructure performance, and more. more

  • Next Generation End User Experience Management: APM

    In an era of new technologies and cloud-based application delivery models, your business success depends on your ability to ensure optimal application performance and quality user experiences at all times. This complimentary white paper from AppNeta will enlighten you to the new frontiers in end user experience management and much more. more

  • Video: Create an Integrated, Collaborative Microsoft Lync Environment

    Consider HP as your Microsoft Lync Solutions provider! more

  • Optimizing Application Delivery to the Network Edge

    Increasingly, the success of business is being tied to the network. The transformation of the network and IT can help organizations deliver and support highly available applications and services while reacting more quickly to changes in the business environment. In this complimentary white paper from IDC, learn how HP can help its customers and partners improve the overall application experience. more

  • Networking Routers Buyer's Guide for SMB & Enterprise

    This buyer's guide presents an overview of leading products on the market today and aims to improve research for companies needing to purchase or upgrade their equipment. more