Tip

Do you need an IDS or IPS, or both?

Cut through the hype and learn the differences and benefits of intrusion detection and prevention systems.

While threat management continues to be a top priority, it is more important than ever for cash-strapped security professionals to fully understand the functionality of intrusion defense tools in order to make good purchasing decisions.

Intrusion defense systems (IDS) and intrusion prevention systems (IPS) are a particularly confusing area because the products are so similar, the vendors are all the same, and even the acronyms are hard to tell apart. We'll explain the capabilities of each and how to decide whether you need one or both technologies.

Differentiating IDS and IPS

An IPS is not the same as an IDS. However, the technology that you use to detect security problems in an IDS is very similar to the technology that you use to prevent security problems in an IPS.

It's important to start out with the understanding that IDS and IPS are very, very different tools. Even though they have a common base, they fit into the network in different places, have different functions, and solve different problems.

An IPS is best compared to a firewall. In a typical enterprise firewall, you'll have some number of rules: maybe a hundred, maybe a thousand. Most of those rules are "pass" rules: "allow the traffic through." Thus, the firewall gets a packet off the wire and starts through its rules, looking for a rule that says "allow this packet through." If it gets to the end of the list and there's no rule saying "allow this packet through," then there's a final "deny" rule: "drop everything else." Thus, in the absence of a reason to pass the traffic the firewall drops it.

And IPS is like that, but inside out: it has rules, maybe hundreds, maybe thousands. Most of those rules are "deny" rules: "block this known security problem." When a packet shows up at the IPS, the IPS looks through its rule list from top to bottom, looking for some reason to drop the packet. At the end of the list, though, is an implicit "pass" rule: "allow this packet through." Thus, in the absence of a reason to drop the traffic, the IPS passes it through.

Firewalls and IPSes are control devices. They sit inline between two networks and control the traffic going through them. This means that the IPS is in the policy side of your security house. It's going to implement or enforce a particular policy on what traffic is not allowed through.

The obvious affinity of firewalls and IPSes from a topological point of view has led us to the world of UTM, where an IPS is incorporated into the firewall. UTMs let you have both security services (blocking security threats, allowing known good traffic) into a single device. We'll talk about the ultimate in compression of IPS and firewall, the UTM (Unified Threat Management) firewall later.

The main reason to have an IPS is to block known attacks across a network. When there is a time window between when an exploit is announced and you have the time or opportunity to patch your systems, an IPS is an excellent way to quickly block known attacks, especially those using a common or well-known exploit tool.

Of course, IPSes can provide other services. As product vendors search to differentiate themselves, IPSes have become rate limiting tools (which is also helpful in Denial of Service mitigation), policy enforcement tools, data leak protection tools, and behavior anomaly detection tools. In every case, though, the key function of the IPS is a control function.

What about UTM IPS?

The combination of an IPS and a firewall into a single system, with a single management system, is attractive.  Unfortunately, most unified threat management systems (UTMs) are designed for SMB deployment, an environment where the simplicity of the management system is one of the most critical design requirements. Combining IPS management with firewall management is a very difficult task. In fact, no product vendor has successfully managed to merge their web-based firewall management system with a good IPS management tool.

You shouldn't assume that an IPS incorporated into a UTM firewall will offer the same types of controls and protections as a standalone IPS.
This does not mean that there aren't great UTM firewalls with embedded IPSes; it just means that the management systems for the IPS part of these products are quite different (and often separate) from the firewall parts.

If your prospective UTM firewall vendor has bundled the IPS and firewall functionality all into a homogeneous single web interface, you're looking at a product where the IPS is getting second rate management tools.  This may be fine in environments where you're only interested in control, such as at branch offices or where only a small set of systems are being protected.

To find an enterprise-class IPS combined with a UTM firewall, look for products which are, paradoxically, less integrated: a standalone IPS and standalone firewall combined in the same chassis, for example.

What is an IDS?

If an IPS is a control tool, then an IDS is a visibility tool. Intrusion Detection Systems sit off to the side of the network, monitoring traffic at many different points, and provide visibility into the security posture of the network. A good analogy is to compare an IDS with a protocol analyzer. A protocol analyzer is a tool that a network engineer uses to look deep into the network and see what is happening, in sometimes excruciating detail. An IDS is a "protocol analyzer" for the security engineer. The IDS looks deep into the network and sees what is happening from the security point of view.

In the hands of a security analyst, the IDS becomes a window into the network. The information provided by the IDS will help the security and network management teams uncover, as a start:

  • Security policy violations, such as systems or users who are running applications against policy
  • Infections, such as viruses or Trojan horses that have partial or full control of internal systems, using them to spread infection and attack other systems
  • Information leakage, such as running spyware and key loggers, as well as accidental information leakage by valid users
  • Configuration errors, such as applications or systems with incorrect security settings or performance-killing network misconfiguration, as well as misconfigured firewalls where the rule set does not match policy
  • Unauthorized clients and servers including network-threatening server applications such as DHCP or DNS service, along with unauthorized applications such as network scanning tools or unsecured remote desktop.

This increased visibility into the security posture of the network is what characterizes an IDS, and which differentiates the visibility function of an IDS from the control function of an IPS.

Of course, since both IDS and IPS have the word "intrusion" as the beginning of their acronym, you may be wondering why I haven't mentioned "intrusion" as part of the function of either IDS or IPS. Partly that's because the word "intrusion" is so vague that it's difficult to know what an intrusion is. Certainly, someone actively trying to break into a network is an intruder. But is a virus-infected PC an "intrusion?" Is someone performing network reconnaissance an intruder… or merely someone doing research? And if a malicious actor is in the network legitimately -- for example, a rogue employee -- are their legitimate and illegitimate actions intrusions or something else?

The more important reason for leaving "intrusion" out of the description for both IDS and IPS is that they aren't very good at catching true intruders. An IPS will block known attacks very well, but most of those attacks are either network reconnaissance or automated scans, looking or other systems to infect -- hardly "intrusions" in the classic sense of the word. The best Intrusion Prevention System in this case is the firewall, which doesn't let inappropriate traffic into the network in the first place.

It's the misuse of the word "intrusion" in referring to these visibility and control technologies which has caused such confusion and misguided expectations in staff at enterprises that have deployed either IDS or IPS.

Yes, an IDS will detect true intrusions. Yes, an IPS will block true intrusions. But these products do much more than that -- they provide greater control and greater visibility, which is where their real value is.

So Which Do I Buy?

If all products were either an IDS or an IPS, then the answer to the question of "which should I buy" would be easy: buy an IDS if you want visibility, and buy an IPS if you want control. But IPS and IDS vendors don't make it easy for us, because they have developed and released hybrid products which combine IDS visibility on top of IPS control.

For most enterprises, especially ones who don't have an IPS or an IDS already, the right answer is "buy an IPS." A visibility tool only brings you value if you have time to look at what it's telling you. With tight budgets and overstressed staff, the kind of senior security engineer it takes to really get value out of an IDS is in short supply. Buying a product that no one is going to look at isn't going to do you much good. Without regular and disciplined use of the visibility aspects of an IDS, the only real effect you'll see is in increased power bills.

This doesn't mean that an IPS is a "set it and forget it" kind of device. To get value out of an IPS, you must tune it to match your own network and application and system mix. If you don't, you'll either have a high rate of false positives, which can interrupt legitimate traffic, or you'll miss a lot of attacks, in which case the IPS is not bringing you very much value. An IPS that never has a false positive is probably not doing a good job at protecting your network.

However, you will get value out of an IPS without a large time investment in managing and tuning it, and analyzing what it's telling you about your network. That's because the IPS will be there, providing additional defenses, and helping to protect you against common errors. Since most security problems are the result of human error rather than targeted attacks, the IPS is an outstanding way to bring a defense-in-depth strategy to network security.

Most IPS vendors, because of their IDS heritage, sell products which actually combine both IPS and IDS functions. They have the powerful malware and attack recognition engine needed to identify and block attacks, but they also have additional rules and tools designed to enhance network visibility.

As you're considering IPS, IDS, or combination products, remember to focus on your primary requirement. If you are looking for additional control, the most important part of the picture is the IPS detection engine. IPSes need the ability to quickly detect and block attacks, at very high speeds and without degrading network performance, throughput, or latency.

If you're looking for visibility, network forensics, and analysis capabilities, the most important part of the picture is the IDS management console. You have to be able to navigate through the information provided by the IDS in a quick and natural way to gain network and security visibility. While the detection engine is important, it's not nearly as important as the management system. Without an effective way of extracting information from the IDS -- and this is as much your training as it is the management console you install -- you won't see much value from an IDS.

Next Steps

Take this quiz on IDS/IPS

What's the difference between IDS signature and anomaly detection?

Read this buyer's guide to the intrusion prevention market

Learn the top five ways to tune an IDS/IPS to meet business needs

Dig Deeper on Threat detection and response

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close