Gartner's announcement that intrusion-detection systems (IDS) will soon be dead and intrusion-prevention systems (IPS) will replace them created quite a tumult in the security industry. In the SearchSecurity webcast IDS vs. IPS: Which is better? speaker Ed Yakabovicz, Information Security Officer for Bank One, offers some insight as to what the future holds for the technologies. Here, Ed answers questions submitted by users during the webcast. Ed is also available to answer your questions via SearchSecurity's Ask the Expert feature.
Some IPS and intrusion-prevention appliances are Layer 2 devices that are intelligent enough to learn and configure themselves. These devices do not require complicated set up and tuning. Will these types of devices compete with IDS and other types of IPS?
Although Layer 2 devices are excellent security tools, they are still only one device that must exist in layered security architecture. Once they are incorporated into the IPS methodology they will be even more valuable. Remember, one device can't do it all no matter what the sales folks say!
Can an IPS be defined as an IDS with a firewall fully integrated and the option of dynamic rules allocation?
This is almost the case. What is missing is the full integration across the network with inside and outside devices. Artificial Intelligence is also suppose to be better in IPS than other systems because it sees all network traffic, not just inbound.
If neither product is installed at my company, which one should I start with?
IDS is a great start because it's cheaper and more mature. There are drawbacks with IDS, but most can be overcome with training and monitoring.
Many IDS offer the option to reset or block further TCP connections by adding ACLs in the router or firewall. How is this operation different from IPS operation?
IPS will look at the system as a whole, not just the connection from the firewall to, say, a router. IPS will evaluate each packet at all points within the network, not just at one point. Think of IPS as having checkpoints at ALL your network devices, not just the router and firewall.
Are there any hardware differences between IDS and IPS as the functionality is mainly to be achieved by the right configurations?
Hardware is hardware as long as it can handle the network speed.
How will IP Version 6 affect IDS and IPS? Will it make IDS redundant or impair the benefits of IPS?
IP V.6 will enhance IPS by allowing more data and information in the IP packet.
In summary, which technology are you recommending – IDS or IPS?
IDS until IPS is in the next generation and the cost comes down. The industry as a whole must accept, advance and train on this new topic. It does no one any good unless we all know how it works and how to use the products.
For more information on this topic, visit these resources:
