This content is part of the Essential Guide: Evaluating intrusion detection and prevention systems and vendors
Get started Bring yourself up to speed with our introductory content.

Types of intrusion detection products: Suite vs. best-of-breed

When evaluating types of intrusion detection products, it is important to distinguish whether a best-of-breed or suite-based product is the right match for your enterprise. Expert Bill Hayes offers guidance to help you decide.

Intrusion detection system products and services are being used in a variety of organizations where they are primarily employed to detect and sty­mie network-based attacks ranging from single network packet attacks to sophis­ticated application-level attacks. Intrusion detection and prevention system (IDS/IPS) sensors must have enough processing power to detect these attacks as they occur and -- in the case of IPS sensors -- block these attacks at wire speeds.

While IDS sensors can issue TCP resets for TCP attacks, only IPS sensors can block attacks based on other network protocols, such as UDP and ICMP. IPS sensors are able to block attacks because they are inline devices and, therefore, can detect and dis­rupt attacks that flow through their particular net­work segment. Consequently, an organization must determine early in the IDS/IPS project how many sensors to deploy and where.

IDS/IPS products are indeed capable, essential elements of an enterprise security architecture, like firewalls, but they are not the ultimate security panacea. Instead, IDS/IPS technology should be regarded as a complementary cybersecurity technical control that can work with firewalls, spam filters, antimalware and data loss prevention prod­ucts. Therefore, organizations should have a good idea of what IDS/IPS features complement its exist­ing security controls.

Early in the planning, assess if your organiza­tion can benefit most from a best-of-breed or a suite-based product. Security practitioners periodically flip flop on which track to follow, but ultimately you should determine what best works for your organization with the least drain on your budget.

If you have in-house expertise, best-of-breed intrusion detection system products can work well if sized properly for your organization. Examples of this would be using open source projects for IDS/IPS sensors and support­ing technologies such as load balancers and security incident and event management servers, or using commercial products like Sourcefire IDS/ IPS sensors and Splunk Enterprise Security or Log­Rhythm as SIEMs.

If your enterprise is using several products from the same security vendor, it might make sense to follow the suite approach. Examples of this would include us­ing McAfee Network Security Platform IDS/IPS with McAfee ePolicy Orchestrator, or HP Tipping­Point IDS/IPS sensors with HP ArcSight ESM.

About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company as well as a freelance expert consultant and writer.

Next Steps

Get tips on maximizing the effectiveness of IDS and IPS

Tune in to learn five ways to tune IDS/IPS to meet business needs

This was last published in February 2015

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)