IDS or IPS? Pocket E-Guide



Similar documents
Cisco IPS Tuning Overview

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Deep Security Vulnerability Protection Summary

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Next-Generation Firewalls: Critical to SMB Network Security

How To Protect A Virtual Desktop From Attack

Critical Security Controls

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Cyber Security: Beginners Guide to Firewalls

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Defending Against Data Beaches: Internal Controls for Cybersecurity

Active Network Defense: Real time Network Situational Awareness and a Single Source of Integrated, Comprehensive Network Knowledge

How To Prevent Hacker Attacks With Network Behavior Analysis

How to Make Your IDS Useful. Joel M Snyder Senior Partner Opus One jms@opus1.com

The Cisco ASA 5500 as a Superior Firewall Solution

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Security and Access Control Lists (ACLs)

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Defending Against Cyber Attacks with SessionLevel Network Security

CLOUD GUARD UNIFIED ENTERPRISE

On-Premises DDoS Mitigation for the Enterprise

Network and Host-based Vulnerability Assessment

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

NASCIO 2015 State IT Recognition Awards

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

WHITE PAPER. Best Practices for Securing Remote and Mobile Devices

HP Next-Generation Network Security Solutions Radoslav Georgiev Technical Consultant HP Networking

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

How Web Application Security Can Prevent Malicious Attacks

Technical Note. ForeScout CounterACT: Virtual Firewall

Firewall Testing Methodology W H I T E P A P E R

How To Manage Security On A Networked Computer System

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Next Generation IPS and Reputation Services

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Taxonomy of Intrusion Detection System

Global Partner Management Notice

How To Protect A Network From Attack From A Hacker (Hbss)

QRadar SIEM and FireEye MPS Integration

OPC & Security Agenda

Redefining Endpoint Security: Symantec Endpoint Protection Russ Jensen

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

NERC CIP VERSION 5 COMPLIANCE

CUTTING THROUGH THE HYPE: WHAT IS TRUE NEXT GENERATION SECURITY?

Cisco Small Business ISA500 Series Integrated Security Appliances

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

Intrusion Detection. Tianen Liu. May 22, paper will look at different kinds of intrusion detection systems, different ways of

NetDefend Firewall UTM Services

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

End-user Security Analytics Strengthens Protection with ArcSight

Understanding SCADA System Security Vulnerabilities

How To Secure Your Store Data With Fortinet

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Architecture Overview

Chapter 9 Firewalls and Intrusion Prevention Systems

The Importance of Cybersecurity Monitoring for Utilities

Unified Threat Management Throughput Performance

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

Getting Ahead of Malware

Payment Card Industry (PCI) Data Security Standard

IBM Internet Security Systems

Securing Virtual Applications and Servers

POLIWALL: AHEAD OF THE FIREWALL

Continuous Network Monitoring

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Sygate Secure Enterprise and Alcatel

Endpoint Security Management

McAfee Network Security Platform

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

PART D NETWORK SERVICES

How To Sell Security Products To A Network Security Company

Cisco Remote Management Services for Security

Guideline on Firewall

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

PEER-TO-PEER NETWORK

Web Security. Discovering, Analyzing and Mitigating Web Security Threats

Transcription:

Pocket E-Guide IDS or IPS? Differences and benefits of intrusion detection and prevention systems Deciding between intrusion detection systems (IDS) and intrusion prevention systems (IPS) is a particularly challenging and timeconsuming task for most security pros. Both systems provide similar benefits and have markets occupied by the same vendors. This Pocket E-Guide cuts through the noise and gives you independent, expert advice from security guru Joel Snyder on deciding between an IDS or IPS. Review the specifics on each system including differences and benefits. Also, find out if unified threat management intrusion prevention systems (UTM IPS) measure up and how management needs change when integration is increased. Sponsored By:

Know when you need IDS, IPS or both by Joel Snyder While threat management continues to be a top priority, it is more important than ever for cash-strapped security professionals to fully understand the functionality of intrusion defense tools in order to make good purchasing decisions. Intrusion defense systems (IDS) and intrusion prevention systems (IPS) are a particularly confusing area because the products are so similar, the vendors are all the same, and even the acronyms are hard to tell apart. We'll explain the capabilities of each and how to decide whether you need one or both technologies. DIFFERENTIATING IDS AND IPS An IPS is not the same as an IDS. However, the technology that you use to detect security problems in an IDS is very similar to the technology that you use to prevent security problems in an IPS. It's important to start out with the understanding that IDS and IPS are very, very different tools. Even though they have a common base, they fit into the network in different places, have different functions, and solve different problems. An IPS is best compared to a firewall. In a typical enterprise firewall, you'll have some number of rules: maybe a hundred, maybe a thousand. Most of those rules are "pass" rules: "allow the traffic through." Thus, the firewall gets a packet off the wire and starts through its rules, looking for a rule that says "allow this packet through." If it gets to the end of the list and there's no rule saying "allow this packet through," then there's a final "deny" rule: "drop everything else." Thus, in the absence of a reason to pass the traffic the firewall drops it. And IPS is like that, but inside out: it has rules, maybe hundreds, maybe thousands. Most of those rules are "deny" rules: "block this known security problem." When a packet shows up at the IPS, the IPS looks through its rule list from top to bottom, looking for some reason to drop the packet. At the end of the list, though, is an implicit "pass" rule: "allow this packet through." Thus, in the absence of a reason to drop the traffic, the IPS passes it through. Firewalls and IPSes are control devices. They sit inline between two networks and control the traffic going through them. This means that the IPS is in the policy side of your security house. It's going to implement or enforce a particular policy on what traffic is not allowed through. The obvious affinity of firewalls and IPSes from a topological point of view has led us to the world of UTM, where an IPS is incorporated into the firewall. UTMs let you have both security services (blocking security threats, allowing known good traffic) into a single device. We'll talk about the ultimate in compression of IPS and firewall, the UTM (Unified Threat Management) firewall later. Sponsored by: Page 3 of 7

The main reason to have an IPS is to block known attacks across a network. When there is a time window between when an exploit is announced and you have the time or opportunity to patch your systems, an IPS is an excellent way to quickly block known attacks, especially those using a common or well-known exploit tool. Of course, IPSes can provide other services. As product vendors search to differentiate themselves, IPSes have become rate limiting tools (which is also helpful in Denial of Service mitigation), policy enforcement tools, data leak protection tools, and behavior anomaly detection tools. In every case, though, the key function of the IPS is a control function. What about UTM IPSes? UTM IPS is not the same as standalone IPS THE COMBINATION OF AN IPS AND A FIREWALL into a single system, with a single management system, is attractive. Unfortunately, most unified threat management systems (UTMs) are designed for SMB deployment, an environment where the simplicity of the management system is one of the most critical design requirements. Combining IPS management with firewall management is a very difficult task. In fact, no product vendor has successfully managed to merge their web-based firewall management system with a good IPS management tool. You shouldn't assume that an IPS incorporated into a UTM firewall will offer the same types of controls and protections as a standalone IPS. This does not mean that there aren't great UTM firewalls with embedded IPSes; it just means that the management systems for the IPS part of these products are quite different (and often separate) from the firewall parts. If your prospective UTM firewall vendor has bundled the IPS and firewall functionality all into a homogeneous single web interface, you're looking at a product where the IPS is getting second rate management tools. This may be fine in environments where you're only interested in control, such as at branch offices or where only a small set of systems are being protected. To find an enterprise-class IPS combined with a UTM firewall, look for products which are, paradoxically, less integrated: a standalone IPS and standalone firewall combined in the same chassis, for example. --Joel Snyder Sponsored by: Page 4 of 7

WHAT DO IDSES DO? If an IPS is a control tool, then an IDS is a visibility tool. Intrusion Detection Systems sit off to the side of the network, monitoring traffic at many different points, and provide visibility into the security posture of the network. A good analogy is to compare an IDS with a protocol analyzer. A protocol analyzer is a tool that a network engineer uses to look deep into the network and see what is happening, in sometimes excruciating detail. An IDS is a "protocol analyzer" for the security engineer. The IDS looks deep into the network and sees what is happening from the security point of view. In the hands of a security analyst, the IDS becomes a window into the network. The information provided by the IDS will help the security and network management teams uncover, as a start: Security policy violations, such as systems or users who are running applications against policy Infections, such as viruses or Trojan horses that have partial or full control of internal systems, using them to spread infection and attack other systems Information leakage, such as running spyware and key loggers, as well as accidental information leakage by valid users Configuration errors, such as applications or systems with incorrect security settings or performancekilling network misconfiguration, as well as misconfigured firewalls where the rule set does not match policy Unauthorized clients and servers including network-threatening server applications such as DHCP or DNS service, along with unauthorized applications such as network scanning tools or unsecured remote desktop. This increased visibility into the security posture of the network is what characterizes an IDS, and which differentiates the visibility function of an IDS from the control function of an IPS. Of course, since both IDS and IPS have the word "intrusion" as the beginning of their acronym, you may be wondering why I haven't mentioned "intrusion" as part of the function of either IDS or IPS. Partly that's because the word "intrusion" is so vague that it's difficult to know what an intrusion is. Certainly, someone actively trying to break into a network is an intruder. But is a virus-infected PC an "intrusion?" Is someone performing network reconnaissance an intruder or merely someone doing research? And if a malicious actor is in the network legitimately -- for example, a rogue employee -- are their legitimate and illegitimate actions intrusions or something else? The more important reason for leaving "intrusion" out of the description for both IDS and IPS is that they aren't very good at catching true intruders. An IPS will block known attacks very well, but most of those attacks are either network reconnaissance or automated scans, looking or other systems to infect -- hardly "intrusions" in the classic sense of the word. The best Intrusion Prevention System in this case is the firewall, which doesn't let inappropriate traffic into the network in the first place. It's the misuse of the word "intrusion" in referring to these visibility and control technologies which has caused such confusion and misguided expectations in staff at enterprises that have deployed either IDS or IPS. Sponsored by: Page 5 of 7

Yes, an IDS will detect true intrusions. Yes, an IPS will block true intrusions. But these products do much more than that -- they provide greater control and greater visibility, which is where their real value is. SO WHICH DO I BUY? If all products were either an IDS or an IPS, then the answer to the question of "which should I buy" would be easy: buy an IDS if you want visibility, and buy an IPS if you want control. But IPS and IDS vendors don't make it easy for us, because they have developed and released hybrid products which combine IDS visibility on top of IPS control. For most enterprises, especially ones who don't have an IPS or an IDS already, the right answer is "buy an IPS." A visibility tool only brings you value if you have time to look at what it's telling you. With tight budgets and overstressed staff, the kind of senior security engineer it takes to really get value out of an IDS is in short supply. Buying a product that no one is going to look at isn't going to do you much good. Without regular and disciplined use of the visibility aspects of an IDS, the only real effect you'll see is in increased power bills. This doesn't mean that an IPS is a "set it and forget it" kind of device. To get value out of an IPS, you must tune it to match your own network and application and system mix. If you don't, you'll either have a high rate of false positives, which can interrupt legitimate traffic, or you'll miss a lot of attacks, in which case the IPS is not bringing you very much value. An IPS that never has a false positive is probably not doing a good job at protecting your network. However, you will get value out of an IPS without a large time investment in managing and tuning it, and analyzing what it's telling you about your network. That's because the IPS will be there, providing additional defenses, and helping to protect you against common errors. Since most security problems are the result of human error rather than targeted attacks, the IPS is an outstanding way to bring a defense-in-depth strategy to network security. Most IPS vendors, because of their IDS heritage, sell products which actually combine both IPS and IDS functions. They have the powerful malware and attack recognition engine needed to identify and block attacks, but they also have additional rules and tools designed to enhance network visibility. As you're considering IPS, IDS, or combination products, remember to focus on your primary requirement. If you are looking for additional control, the most important part of the picture is the IPS detection engine. IPSes need the ability to quickly detect and block attacks, at very high speeds and without degrading network performance, throughput, or latency. If you're looking for visibility, network forensics, and analysis capabilities, the most important part of the picture is the IDS management console. You have to be able to navigate through the information provided by the IDS in a quick and natural way to gain network and security visibility. While the detection engine is important, it's not nearly as important as the management system. Without an effective way of extracting information from the IDS -- and this is as much your training as it is the management console you install -- you won't see much value from an IDS. Joel Snyder is senior partner for Opus One. Send comments on this article to feedback@infosecuritymag.com. Sponsored by: Page 6 of 7

Resources from TippingPoint IPS vs. IDS: Similar on the Surface, Polar Opposites Underneath TippingPoint Corporate Overview TippingPoint Intrusion Prevention Systems Overview About TippingPoint TippingPoint is a leading global provider of comprehensive network security solutions that address the security and regulatory compliance needs of complex network environments. With the TippingPoint Intrusion Prevention System (IPS), network infrastructure, applications, and critical data are protected from malicious cyber attacks. TippingPoint's approach to network security enables enterprises to enforce security policies across all users, devices, traffic flows and content; while preserving existing infrastructure and ensuring business continuity to help lower total cost of ownership.tippingpoint's security intelligence is powered by DVLabs, TippingPoint's premier team of expert internal researchers for vulnerability analysis and discovery. DVLabs is supplemented by over 1,000 external Zero Day Initiative (ZDI) researchers. Sponsored by: Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information