For many organizations, one of the most difficult tasks when it comes to intrusion detection system (IDS) and intrusion prevention system (IPS) considerations is simply understanding at what point they need one and what functions they could be used for. With all the options on the market for firewalls, application firewalls, unified threat management (UTM) devices and anomaly detection and intrusion prevention, it's hard to pick apart the features and get a handle on which devices are the most appropriate for specific functions.
An organization may also be investigating whether it can replace an IDS with an IPS, or if it needs to implement and maintain both for full protection. There's often a fine line between layered security and misappropriated efforts. In this tip, which compares IDS vs. IPS, we'll cover what types of basic features and protections IDS or IPS systems offer, the difference between IDS and IPS in practical application and a few popular use cases for the technologies.
IDS vs. IPS comparison: Scope of protection
For those who may not be familiar with the technology, an IDS is software or an appliance that monitors for unauthorized or malicious network activity. Using preconfigured rule sets, an IDS can inspect the configuration of endpoints to determine whether they may be susceptible to attack (this is known as host-based IDS), and also can record activity across a network and compare it to known attacks or attack patterns (this is called network-based IDS). The technology, which has been around for many years, is sold commercially with various bells and whistles, including superior signatures, but free, open source IDSes like Snort and OSSEC are also popular.
An IPS, conversely, can not only detect bad packets caused by malicious code, botnets, viruses and targeted attacks, but also can take action to prevent that network activity from causing damage. Even if you feel your network isn't a worthy target, know that many criminals use automated scans to probe the Internet and rattle every door knob so they can catalogue vulnerabilities for later use. These attackers may be after specific sensitive data or intellectual property, or they may be interested in whatever they can get their hands on, such as employee information, financial records or customer data.
A well-tuned IDS or IPS can effectively identify malware inside an infrastructure before it can cause damage. For example, let's say an attacker managed to slip a Trojan into your network. The malicious code may have made it in, and may be sitting quietly, waiting. It's benign in this state, but is a serious threat when activated. With the right intrusion detection in place, when the attacker tries to activate the malicious code, an IDS or IPS would identify the activity and spring into action, either to alert of or prevent the attack.
It's quite likely this type of attack would go completely unnoticed on a network using only a traditional firewall that's monitoring basic connection states. It might also slip past an anomaly-detection engine, if the attack were tucked in normal-looking traffic. The difference between these technologies and intrusion detection and prevention is that IDS/IPS conducts more in-depth packet inspection, analyzing not only where a packet came from and where it's heading, but also its contents to determine if they would compromise a system. That data is key in determining whether a packet's characteristics match what's considered unauthorized or malicious behavior, which may be a precursor to an attack. IDS/IPS technologies can more intelligently dangerous payloads, even when an attacker may employ malformed or out-of-order packets to disguise an attack.
IDS vs. IPS: Differences between the two technologies
There are several schools of thought throughout the industry regarding whether IDS and IPS are separate, sustainable technologies, or whether IDS is a withering technology that should be replaced in favor of IPS. When making the IDS/IPS comparison, I argue the former; there are specific use cases for an IDS system, such as when infosec pros need to identify an attack or vulnerability but take no action on it. The most obvious uses cases for this type of detection are situations in which it is not desired to stop the attack (when collecting data or watching a honeypot), in situations where security teams don't have the authority to stop an attack (if it's not our network we're observing) and lastly, in situations where we want the visibility of detection logs, but favor availability over security. A good example of this would be a manufacturing organization that can't afford to sever connections with key production partners. In this case, a business decision may be made to sacrifice immediate security in favor of continuing business operations. Similarly, an IPS is best for organizations that want to detect and stop or prevent an attack, which should be the majority of enterprises because of its ability to proactively protect critical assets, while an IDS only indicates that an attack may be in progress; additional action is needed on the part of administrators to actually prevent it from happening.
Let's look at a couple problem scenarios and how IDS and IPS technologies can respond to them.
Addressing known vulnerabilities
Organizations with myriad applications and host types may find that a combination of predefined and custom rules will also provide a stop-gap to address shortcomings within an application or business process. If an enterprise has a system that can't be patched for a particular vulnerability without disrupting another host function, an IPS may be the next best thing, as an appropriate IPS rule set could serve as a point of protection against the known vulnerability before it reaches that server.
The ability of IDS and IPS to simulate the response of a host gives it the unique capability to catch, stop or alert on attacks that could have a negative effect on a protected server or compromise its data. These solutions can be used at gateways between networks (much like a firewall) or within the internal infrastructure positioned immediately in front of the protected resources. A gateway or outward-facing approach would be recommended when the intent is to protect a Web server or other Internet-accessible application or device from external attack, while internal use is best for protecting specific high-value assets, such as mission-critical application servers, from malware that finds its way onto trusted endpoints or even from insider attacks.
Popular IDS and IPS devices offer extremely comprehensive logging and data collection. Even without actionable alerts, the data gleaned from these devices and sensors throughout the network can be used for event correlation and network forensics in a post-attack scenario. If, for example, a series of key production servers were found to be compromised or even under visible attack, an organization with IDS and IPS in the environment would have a huge advantage when trying to pick apart the events that led to the compromise. This type of data is critical for analysis during and after attacks and can help an organization with both incident response and compliance audits.
Intrusion systems, like anything else, are put in place to serve a business purpose and meet an objective. These are just a few of the most common uses cases for IDS and IPS to provide a foundation for understanding whether this type of technology meets a need your organization has. If your environment hosts critical systems, confidential data or falls under the purview of strict compliance regulations, then it's a great candidate for IDS, IPS or both. By reviewing the use cases above, you can determine whether your organization may benefit from the features of intrusion prevention.
About the author:
Jennifer Jabbusch is a network security engineer and consultant with Carolina Advanced Digital, Inc. Jennifer has more than 15 years experience working in various areas of the technology industry. Most recently, Ms. Jabbusch has focused in specialized areas of infrastructure security, including Network Access Control, 802.1X and Wireless Security technologies.
This was first published in November 2010