Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.

A Guide To Intrusion Detection And Intrusion Prevention Systems (IDS/IPS)

A Guide To Intrusion Detection And Intrusion Prevention Systems (IDS/IPS)

Traditional Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) have evolved into the Next Generation Intrusion Prevention Systems (NGIPS). See what the new breed of IPS has to offer and how the top five solutions compare.

With an ever evolving security landscape, infosec products and solutions seem to change day to day versus year to year. Because of this fast  rate of change it can become hard to track which products will best provide the right solution for a specific environment. Some common solutions offered today include Next Generation Firewalls (NGFW), Next Generation Intrusion Prevention Systems (NGIPS), Advanced Malware Protection (AMP), Denial of Service (DoS) Protection, Email and Web Protection, Endpoint Protection and many more. On top of this, many vendors have integrated parts of each of these tools into specific product offerings, which blurs the lines between one group and another.

Today, we focus on NGIPS offerings, specifically on those appliances that only provide NGIPS services and that don't provide NGFW services.

Traditional Intrusion Prevention Systems

While Intrusion Detection and Intrusion Prevention Systems (IDS/IPS) have been around for decades, the definition of what they are tasked with and how they perform their functions has evolved, just as the threats facing organizations today have evolved. Originally, IDS platforms were tasked with monitoring communications and providing a method of alerting staff to attacks that where being detected on the network (typically out of band) so that further action could be taken to stop them. The evolution into IPS included a method of implementing devices differently, including the ability to detect attacks and to take some action to stop them automatically. This was traditionally implemented through in-band sensors or appliances that were configured with an ever-growing list of known threat signatures.

While this type of manual approach did work for a time, the threat landscape was quickly able to outpace the ability for organizations to maintain a true up to date list of signatures to detect threats. Some providers countered this by adding an amount of limited dynamic detection that allowed the devices to find attacks outside of their signature bases. However, this was just a band-aid as the threats continued to accelerate faster than the detection and prevention mechanisms were able to maintain and mitigate them. The next evolutionary step was needed. Enter: NGIPS.

Next Generation Intrusion Prevention Systems

The new breed of IPS takes advantage of the traditional Intrusion Prevention Systems but adds a number of functionalities that allow it to provide better protection for modern organizational networks and devices. Some of these added functionalities include:

  • Network Awareness -- provides a knowledge of the devices that exist on the network. This is very valuable information when gathered in both small and large quantities. It allows an organization to have the ability to know the types of devices (OS, device types, etc) that exist on the network and be able to pick out and highlight those that are outside the norm. Any device types that are not considered normal will be flagged and alerts can be configured to notify the appropriate individuals. This also typically extends into the detection of which software packages are being used to generate the traffic on the network.
  • Application Awareness -- provides the ability to pick out and highlight applications that are being run on the network and the users that are running them. This capability allows policies to be created to control which applications are allowed and which are not, by whom and to what level (e.g. Facebook, Jabber, Skype, Twitter, Youtube, etc).
  • Identity Awareness -- provides the ability to gather identity information for the devices and applications that are attached to the network and for the traffic that is being transmitted. This information can be gathered using a number of different techniques and databases, such as Microsoft Active Directory (AD) and LDAP.
  • Behavior Awareness -- provides the ability to establish and monitor the baseline behavior of network devices. This information is then used to contrast against continued usage patterns. Anything that stands out will be reported and/or mitigated by policy (e.g. bandwidth consumption, performance degradation, etc).
  • Real Time Automated Response -- provides the ability to respond to events as they occur and react with the appropriate response based on policy.
  • Automatic IPS Tuning -- provides the ability for a platform to dynamically tune itself based on the information gathered. This reduces the amount of interactive engineer time that is needed to alter rules to the conditions. Examples of this include the enabling or disabling of certain scanning signatures or techniques based on the discovered operating systems being used or applications being run.

An Evolving Information Security Ecosystem

It is important to note that while the features of a NGIPS are very important to implement on a network, it should not be considered a complete solution for system protection. NGIPS solutions are typically implemented either as a point product (where the only thing the appliance does is IPS) or as a combined solution with other features and options. A complete security solution will require that organizations have a multi-tiered approach to systems security. This includes the implementation of a number of different solutions that each work in combination with each other.

It is important that the solutions that are selected (NGIPS or otherwise), each have the ability to integrate into a combined management and/or monitoring system and hopefully with each other. This allows security staff to quickly view all of the information from multiple solutions to gain the most comprehensive view of the network and the devices attached to it. It also provides the ability for multiple solutions to be integrated into each other. For example, if an AMP solution finds a new malware and indicates that it uses a specific unique port number and/or protocol, it can be integrated with a firewall solution to automatically block it before it gains access into the organizational network parameter.

These integrations also provide for both a proactive and reactive stage of security. Since many different attacks on a network are new, it is possible that an attack may get through initially. However, upon continued scanning an attack could be found and reactively eliminated. This level of complexity is one of the things that makes the best security solutions stand out from one another.

Gartner estimates that by 2020, 60 percent of enterprise information security budgets will be allocated for rapid detection and response approaches and by 2018 80 percent of endpoint protection platforms will include user activity monitoring and forensic capabilities. This follows the evolution of the Next Generation Intrusion Prevention Systems. These platforms will continue to transition into smarter, more capable tools and because of this they will grow even more dynamic as malicious attacks evolve.

The NGIPS is a vital part of any organization's network security strategy. Next time we will highlight the top five NGIPS solutions that exist today and review the provider's technologies and options.