Problem solve Get help with specific problems with your technologies, process and projects.

IDS and IPS: Information security technology working together

This article explains why organizations need both an IDS and IPS.

Information security should be based on a layering affect of technologies throughout an organization to provide an umbrella that mitigates risk and thereby reduces threat. The introduction of intrusion-prevention systems (IPS) offers one more layer.

For that last 20 years, security technologies have been segregated to the different worlds of intrusion-detection systems (IDS), firewalls, routers, switches and more. Each operates in a separate segment of the company network, while together providing threat mitigation and risk reduction through the collection of logs, rules, policy and configurations.

Although very successful, each technology requires the manpower of at least one human to manage or confirm updates. Several technologies attempt these automatic updates with, for example, firewall rules or blocking methods. With more failure than success, many are either unacceptable or unmanageable. In the end, each fails due to the amount of intelligence and manual work necessary to ensure each change does not impact the network, customers or user base. Technology does not contain the necessary Artificial Intelligence (AI) to combine the results from these systems and make the proper judgment for configuration changes, blocking rules or overall device re-configuration. There has simply not been a viable solution that works for each demand or requirements that would bind all necessary networking components together.

IPS: Next generation IDS

Relief from this management dilemma may now be available in intrusion-prevention systems (IPS). An IPS offers the ability to identify an intrusion, relevance, impact, direction and proper analysis of an event, and then pass the appropriate information and commands to the firewalls, switches and other network devices to mitigate the event's risk.

As stated by Aberdeen Group, "The key technical components of IPS include the marriage of global and local host access controls, IDS, global and local security policy, risk management software, and globally accessible consoles for managing IPS."

An IPS is the next security layer to be introduced that combines the protection of firewalls with the monitoring ability of an IDS to protect our networks with the analysis necessary to make the proper decisions on the fly.

IPS have been developed from the valid needs caused by false positives and other typical problems found in detecting malicious code or threats to networks today. IDS started the overall protection process by first protecting hosts (host-based IDS), then networks (network-based IDS). First and second-generation IDS currently protect our networks by identifying threats. IDS provide real-time alerts and reports. What they do not provide is the necessary intelligence to notify all network components downstream and upstream from the point of identification. This is where IPS become part of the overall layered approach to security. IPS gather all network information and make the determination of the threat, then notify all other devices of those findings. Upstream providers can notify downstream customers of possible attacks before or during the event as that malicious attempt arrives and vice versa.

Although IPS are actually the next generation IDS, there will always be a need to keep these separate technologies. Security devices must remain separate to allow depth in overall protection; thus, firewalls will need IDS, and the network will need IPS. Each technology is bound to each other with dependencies that will not disappear.

Challenges associated with IPS

Although similar to IDS, IPS have challenges of their own. These include:

  • Network design
  • Network traffic saturation
  • Frequent updates
  • False positives

The overall network design must be considered with the introduction of IPS. Several question come to light.

  • What traffic is allowed between say the Internet, DMZ and internal network?
  • Can the network allow the necessary communications between these zones that would use the full capability of the IPS?

Like IDS, IPS must be designed and scalable enough to accommodate any network design. Network traffic saturation must also be considered to ensure the additional IPS network traffic does not bring down the network. Finally, frequent updates and false positives are the same menace to IPS as they are to IDS. Simply put, software and signature files will need updating. This poses problems simply due to the manpower or work involved. False positives, on the other hand, have been the very reason IDS programs or projects collapse. IPS have a distinct advantage in this area only because other network device information will be gathered, and decisions are not based on one set of data but many. False positives are always an issue due to the large amounts of data IDS must collect and then analyze in real-time with limited AI. Signatures do a decent job of analysis, but they still do not contrast to the interaction IPS will provide.

IDS appear much easier to implement into a network with the use of TAPS (device used to tap a wire and not disrupt communication) and other devices. The introduction of IPS may require more work only because they must be introduced into the entire network infrastructure, not simply tap in on a network segment. IPS will need to the following first configured, then maintained: rules setup/management, system tuning, packet decode/tune, packet rules, console and database. As with many other technologies, these are the bare bones essential functions, thus acceptable.

IPS may not be the final answer to computer security, but it is a good start that further supports the firewall-to-IDS protection methodology. As with any other technology, there are testing results and configuration changes that can make or break the use of IPS in any company. The associated return-on-investment (ROI) must also be considered due to the already considerable amount of money spent on current network components. Senior management must be informed that IPS are an additional technology that will enhance and layer the ability of the firewalls and IDS to mitigate the risk of attacks and malicious code, thereby protecting the company and customers. As the threat increases almost daily this new technology will provide another layer of protection to our already well-protected systems. We can no longer afford the manpower necessary to monitor the many network components and computers that exist today. IPS provides the solution to automatically response in a trusted solution to threat as it occurs, not afterwards or when a human has time to verify the event.

About the author
Edward P Yakabovicz is the Information Security Officer for Bank One's Consumer Internet Group. He has more than 20 years of experience solving complicated business problems related to information security, information technology and project management. He is also an author, teacher and speaker at security conferences. As an expert on SearchSecurity, Ed answers your questions on infrastructure and network security.


This was last published in November 2003

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)