Intrusion detection system products and services are being used in a variety of organizations where they are primarily employed to detect and stymie network-based attacks ranging from single network packet attacks to sophisticated application-level attacks. Intrusion detection and prevention system (IDS/IPS) sensors must have enough processing power to detect these attacks as they occur and -- in the case of IPS sensors -- block these attacks at wire speeds.
While IDS sensors can issue TCP resets for TCP attacks, only IPS sensors can block attacks based on other network protocols, such as UDP and ICMP. IPS sensors are able to block attacks because they are inline devices and, therefore, can detect and disrupt attacks that flow through their particular network segment. Consequently, an organization must determine early in the IDS/IPS project how many sensors to deploy and where.
IDS/IPS products are indeed capable, essential elements of an enterprise security architecture, like firewalls, but they are not the ultimate security panacea. Instead, IDS/IPS technology should be regarded as a complementary cybersecurity technical control that can work with firewalls, spam filters, antimalware and data loss prevention products. Therefore, organizations should have a good idea of what IDS/IPS features complement its existing security controls.
Early in the planning, assess if your organization can benefit most from a best-of-breed or a suite-based product. Security practitioners periodically flip flop on which track to follow, but ultimately you should determine what best works for your organization with the least drain on your budget.
If you have in-house expertise, best-of-breed intrusion detection system products can work well if sized properly for your organization. Examples of this would be using open source projects for IDS/IPS sensors and supporting technologies such as load balancers and security incident and event management servers, or using commercial products like Sourcefire IDS/ IPS sensors and Splunk Enterprise Security or LogRhythm as SIEMs.
If your enterprise is using several products from the same security vendor, it might make sense to follow the suite approach. Examples of this would include using McAfee Network Security Platform IDS/IPS with McAfee ePolicy Orchestrator, or HP TippingPoint IDS/IPS sensors with HP ArcSight ESM.
About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company as well as a freelance expert consultant and writer.
Get tips on maximizing the effectiveness of IDS and IPS
Tune in to learn five ways to tune IDS/IPS to meet business needs