There are a wide variety of tools available that can be utilized in order to detect attacks and exploits, and take further steps in order to block, mitigate, and prevent cyber attacks. These tools can include things like firewalls, spam filters to reject annoying emails, and antivirus/anti-malware to protect endpoint systems are utilized by almost all organizations, regardless of their size. Another significantly valuable security tool that is becoming more prevalent across organizations is a network IDS / IPS, or Intrusion Detection System / Intrusion Prevention System. If you are unsure of what either of these tools are, don’t worry; we’re going to provide a brief description of what they are.
What is an IDS?
An Intrusion Detection System, or an IDS can be either a software application or a hardware appliance with the purpose of passively monitoring network traffic to search for suspicious activity, and potential threats, which will then send out alerts when such activity is discovered. An IDS is pre-programmed to analyze network traffic and identify patterns in that traffic that may indicate a potential cyber attack.
IDS systems are typically placed into two categories/types:
- Host-based
- Network-based
The difference is where the sensors for the system are placed, whether it be on a host, endpoint, or on a network. With there being different types of IDS systems, there are also different methods of deployment and detection. Beyond the location of where the IDS is deployed, IDS systems also differ in how the detect and identify intrusions:
- Signature Detection
- Anomaly Detection
- Hybrid Detection
How Does an IDS Work?
An IDS is a passive technology that detects potential threats and then generates alerts, which in turn allows incident responders, analysts, engineers, and stakeholders a means to investigate and respond to the occurrence of the threat. It is a common misnomer that IDS systems provide protection to endpoints or networks, IDS do not provide active protection to these systems or networks. An IPS (Intrusion Prevention System) on the other hand does actively defend endpoints or networks from threats.
What is an IPS?
An IPS, or Intrusion Prevention System can be thought of as being similar to a firewall. It is a network security and cyber treaty prevention technology that actively monitors and examines network traffic to detect and prevent known threats instead of just raising an alarm or sending out alerts like with an IDS. Similar to that of an IDS, most IPS’ use both Signature Based and Anomaly Based Detection methods for detecting threats, but also have one method that is unique as well; which is Policy Based Detection.
How Does an IPS Work?
Typically an IPS is placed directly behind a firewall so that it may provide an added layer of analysis in order to actively scan for potential threats. Intrusion Prevention Systems work by actively scanning all traffic going to the network, just a few of the different types of threats that an IPS is programmed to monitor for and block are:
- Denial of Service (DoS) attacks
- Distributed Denial of Service (DDoS) attacks
- Different types of known exploits
- Worms
- Viruses
IPS’ perform real-time packet analysis, thoroughly inspecting every single packet that travels through the network. If a packet is detected that contains a potential threat, an IPS can terminate the TCP session, reprogram/reconfigure the firewall to prevent those packets in the future, or remove/reconfigure the malicious content in the packet.
Why You Need a IDS/IPS
Hackers are continuously developing new exploits and attack techniques in order to circumvent our network defenses. No network is impenetrable, and no firewall foolproof. An IDS/IPS can be a key addition to an organization’s network/infrastructure because it enables you to detect and respond to malicious network traffic.
The main benefit of an IDS/IPS is that it ensures that IT personnel are notified when an attack or breach is taking place.
If I Have an IDS/IPS Why Do I Need a Firewall?
Some of you may be wondering this often asked question, “If I have an IDS/IPS in place, why do I need a firewall?”. This is because the IDS/IPS does not actually keep out intruders, it keeps track of the attempted breaches, the firewall on the other hand is what actually keeps the intruders and malicious traffic from getting into the system. Think of it this way, the firewall is the first line of defense, a sort of security guard in a sense.
If the firewall is the security guard, IDS/IPS are security cameras. The firewall explicitly restricts access by screening the traffic and deciding what is permitted and what is not based upon certain criteria. However, an IDS/IPS monitors this traffic and then spots patterns or anomalies in activity, which will then send out an alert if anything suspicious is detected. This is why a continued effort of actively monitoring your firewall, updating your filtering controls, and allow/deny rules and policies is crucial to ensuring that you have the best security possible. This way you’re getting an idea of who, or what is trying to get into the network.
SME provides fully managed security solutions including Firewalls, Virtual Private Networks, Remote Access and Intrusion Detection Systems. Each customized security solution is monitored 24x7x365 from our Secure Network Operations Center, allowing our team to respond to potential threats as they are happening. For any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.