Layered security is the key to protecting any size network, and for most companies, that means deploying both intrusion detection systems (IDS) and intrusion prevention systems (IPS). When it comes to IPS and IDS, it's not a question of which technology to add to your security infrastructure - both are required for maximum protection against malicious traffic. In fact, vendors are increasingly combining the two technologies into a single box.
At its most basic, an IDS device is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services, data-driven attacks on applications, host-based attacks like unauthorized logins, and malware like viruses, Trojan horses, and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection, and stateful protocol analysis.
The IDS engine records the incidents that are logged by the IDS sensors in a database and generates the alerts it sends to the network administrator. Because IDS gives deep visibility into network activity, it can also be used to help pinpoint problems with an organization's security policy, document existing threats, and discourage users from violating an organization's security policy.
The primary complaint with IDS is the number of false positives the technology is prone to spitting out - some legitimate traffic is inevitable tagged as bad. The trick is tuning the device to maximize its accuracy in recognizing true threats while minimizing the number of false positives; these devices should be regularly tuned as new threats are discovered and the network structure is altered. As the technology has matured in the last several years, it has gotten better at weeding out false positives. However, completely eliminating them while still maintaining strict controls is next to impossible - even for IPS, which some consider the next step in the evolution of IDS.
At its most basic, an IPS has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they're sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.
In addition, an IPS can respond to a detected threat in two other ways. It can reconfigure other security controls, such as a firewall or router, to block an attack. Some IPS devices can even apply patches if the host has particular vulnerabilities. In addition, some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.
Because IDS and IPS devices sit in different spots on the network, they can - and should - be used concurrently. An IPS product installed at the perimeter of the network will help stop zero day attacks, such as worms and viruses, in their tracks - even the newest threats can be blocked with rigorous tuning. An IDS product installed inside the firewall will monitor internal activity, guarding against the ever-present insider threat, and lend greater visibility into security events, past and present.
Choosing a product that offers both technologies can be the most cost-effective and efficient approach. "With one device that does IDS and IPS, you can enable IDS on part of the network and enable IPS on a different part. It's almost a virtual device," says Sanjay Beri, senior director of product management at Juniper Networks, a network infrastructure vendor based in Sunnyvale, Calif.