What’s the difference ?

Sadly there’s no hard an fast rule, what’s important is understanding what you’re buying.
Traditional IDS systems used sniffers & signatures to detect attacks very similar to how
virus’s are found with AV; the problem with this kind of system is that it relies on a
signature being available to recognize the attack; there is also a margin of error with
sniffer technology, this means it’s possible to flood a network with “safe” traffic, and
then slip the attack in under the radar.

Some consider the difference between IDS and IPS is that IPS is proactive, as such it
doesn’t require a signature to detect the attack, it just recognizes unacceptable behavior,
the problem with this is that any technology that can do this is very difficult and
expensive to implement.

Others consider the difference between IDS and IPS is that IPS implements a protective
“shim” between the system and the attack; thus if the attack is recognised then it can be
blocked.

Suddenly you can see how the two phrases get muddled up, those inventing intelligent
systems to detect unknown or Zero Day attacks wanted a way to differentiate their
technology from the rest; but IDS vendors were easily able to adopt the “P”, buy making
their exiting product work in linethus providing “protection” rather an “detection”.

So I go back to my point, what’s the difference between “D” & “P”, find out if the
product you’re buying uses signatures, and you’ll get an idea whether it’s a re-vamped
IDS or a Zero Day protection system

-
How do you define intrusion prevention?

In the simplest of terms, intrusion prevention means keeping the “bad guys” out of a
corporate network. Intrusion prevention system (IPS) technology inspects Internet traffic
flowing into and through an organization and actively blocks malicious content before it
impacts business. IPS technology can be either network-based or host-based. With the
right products and deployment, it can help organizations preserve network availability,
reduce the burden on IT resources and prevent security breaches.

How aware are organizations now of network and systems intrusion? If they are
aware, do they generally understand the extent of the problem?

With the recent explosion in the sophistication of online attacks, including the evolution
of phishing, bots, spyware, rootkits and other forms of malware, IT security has become
top-of-mind for most organizations that rely on the Internet to conduct business. While
the extent of the problem is generally understood, many companies struggle with the fact
that effective security solutions are often complex, confusing and cost-prohibitive. The
average enterprise has over 32 security vendors!
Is intrusion prevention of equal concern to every business? Should a small business of
just a few employees be as worried about it as a large enterprise? Is there any level at
which the ROI does not make sense?

In this day and age, any company that relies on the Internet to conduct business, and that
houses confidential data of any kind (customer information, financials, credit card
numbers, business plans, etc.) should be concerned about intrusion prevention. Online
attacks are not limited to large corporations. As long as money can be made by breaking
into a network, it will eventually attract the attention of hackers. With this fact in mind,
many security vendors are now offering lower-cost IPS options specifically tailored for
small- to medium-sized businesses (in addition to more robust systems for enterprises).

How often is intrusion prevention mistaken for intrusion detection? And why, in fact,
can’t IDS plus a firewall be made to work as an IPS? What are the differences between
the two?

Most security and IT professionals now understand the differences between the two
technologies. IPS technology goes deeper than a firewall because it blocks or allows
traffic based on application content rather than IP addresses or ports. Additionally, unlike
IDS technologies, IPS products are designed to sit inline with traffic flows and prevent
attacks in real-time, as opposed to passively monitoring and alerting organizations to
malicious traffic. For these reasons, an IDS product coupled with a firewall does not
equate to IPS.

What’s the difference between a host IPS and a network IPS? Is it a case that
businesses can use either one of them, or is one preferable to the other in certain cases,
and what are those? Are there any situations when it might be best to have both?

While a network-based IPS product resides on a single point on the network and is
designed to protect all hosts connected to the network, a host-based IPS product resides
on a specific IP address such as a PC or server. Network- and host-based IPS
technologies are complementary, and it is recommended that companies use a
combination of both. This way, the organization is using a defense-in-depth methodology
to provide multiple barricades for stopping malicious attacks, therefore achieving more
comprehensive, multilayered protection.

What are some of the challenges involved in deploying an IPS? Is it a plug-and play
technology, or are there things that a business has to do to make it work to its best
potential? Does putting an IDS in place alter the way a network or system operates,
and if so what actions should the user take to make sure everything works well
together?

A good IDS or IPS product should be simple to deploy, requiring no reconfiguration of

the network. While IDS operates in a passive state, IPS is deployed inline. This
difference is significant since an IPS device is capable of blocking traffic. The IBM ISS
intrusion prevention product is the only intrusion prevention system available with an
inline simulation mode, giving organizations the ability to determine blocking behavior
before actually activating blocking. Companies like IBM ISS also have professional
security services teams that can assist companies with designing and deploying the
security solution that best fits their needs.

Can an IPS produce the same number of false positives that an IDS does? If not, why
not? If it is capable of those false positives, what does a user have to do to reduce or
eliminate them?

An IPS product should not block legitimate traffic by mistake. Accuracy is a frequently
cited concern for companies deploying IPS products and services, and one that should be
carefully evaluated when selecting an IPS vendor.

How does an IPS fit into the overall security scheme? Is it a replacement for other
systems and devices, such as a firewall or an IDS? Or is it a complementary technology
that necessarily works in concert with other technologies? Is there a “perfect” way to
deploy an IPS?

Since IPS is essentially the next generation of IDS, it is a replacement for that
technology. Companies normally either choose to have their network traffic passively
monitored with IDS, or they choose to have “bad” traffic actively blocked with IPS.
However, beyond that, IPS should make up one piece of an organization’s comprehensive
security strategy, complementing other technologies such as a firewall. Again, it is
recommended that companies deploy a multi-layered approach consisting of various
security technologies to better ensure that attacks do not penetrate their infrastructure.

How do you think intrusion protection will evolve? Will the nature of intrusions stay
the same, for example, but just increase the rate at which they occur? Or do you think
there could be a substantial change in what IPS will be called on to detect and manage
in the future?

The nature of online attacks is evolving as we speak. In general, they are becoming more
sophisticated, designer and stealth in nature. Instead of launching widespread Internet
worms for notoriety, attackers are increasingly turning to more targeted means of
network infiltration through which they can obtain a profit. Whether it’s through building
bot networks to blast out spam, stealing confidential information off of computers or
taking a corporation’s data hostage in return for ransom, online criminals are becoming
more and more creative every day. IPS technology must therefore be able to adapt to
protect against both traditional threats and emerging threats. Solutions that rely on
signature updates to block every single new attack will soon become irrelevant as
attackers develop news ways to penetrate networks on a daily basis. Instead, IPS
technology must be developed to be more extensible and deal with entire classes of
threats without relying on signature updates.
Considering that the IPS investment a business makes now will last for some time,
what are the best-of-breed features that a buyer should consider when weighing that
investment?

When evaluating IPS technologies, companies need to balance and maximize the
following six key areas:

Performance: The ability to act transparently in the network environment and

introduce a minimal amount of latency to network traffic.
Security: An effective intrusion prevention system will employ a combination of
multiple analysis and detection methodologies including protocol analysis,
heuristics, RFC compliance, TCP reassembly, statistical analysis and pattern
matching. Using multiple analysis and identification methods will also diminish the
number of false positives and false negatives.
Reliability: Devices placed in the flow of network traffic must be extremely
reliable. They require features such as high availability and hot-swappable,
redundant power supplies and hard drives to ensure that network traffic is
maintained.
Deployment: Deployment of IPS products should be simple and flexible, and
should not require network reconfiguration.
Management: Management of an IPS device should also be simple and intuitive,
providing flexible options for reporting, analysis and alerting. Companies also need
to consider how the product will integrate with the other components of their
network infrastructure.
Confidence: The vendor behind the IPS solution is also a key consideration. In
addition to a robust and comprehensive IPS technology, it is critical that companies
look for a vendor with a strong, proven industry track record, including long-
standing, successful customer deployments, technology leadership and recognition,
as well as industry certifications and a formal, proven customer support program.

For IPS technology to truly deliver protection that enhances operations and reduces
overall risk, it must address all six of these components. This uncompromising protection
not only assures that threats are blocked before they impact the network, but also
maximizes network uptime, minimizes the need for active involvement in security events,
reduces total cost of ownership and assists with regulatory compliance.

What other observations or suggestions to do you have?

Reactive technologies are not capable of keeping up with the ever-morphing forms of
malware on the Internet. In order to truly stay protected, organizations should seek out an
IPS solution that is preemptive, that does not rely on signature updates to fend off each
individual attack but rather adapts to block entire classes of threats, both traditional and
emerging.

Today, many companies are finding that an intrusion prevention system (IPS) alone
doesn’t provide security tight enough to adequately protect their enterprise. To prevent
damage from targeted attacks and increasingly sophisticated threats, companies are
adding to their infrastructure a network-based IPS appliance, which monitors traffic
flowing across the network to detect and respond to a variety of security threats before
they can impact the network. An IPS appliance can stop worms, Trojans, viruses,
spyware and other malicious code, and most can also thwart DoS (denial of service)
attacks as well as peer-to-peer and VoIP threats.

In general, IPS appliances use either signature-based or protocol analysis-based

technology to block these various forms of malware, and they can be deployed either at
the perimeter of a network or at the core. They’re designed to sit inline with traffic flows
and stop attacks as they happen. Like most pre-emptive forms of security, IPS appliances
must be regularly updated with the latest known threats and vulnerabilities based on the
latest research – some vendors send updates daily, others weekly, and any trustworthy
vendor sends an immediate update to fight a newly discovered attack.

Vendors large and small offer IPS appliances, generally tuned by performance for
specific uses: small- and medium-sized businesses, small enterprise, large enterprise,
service provider, carrier network, and data center network. The range of speeds is vast,
and there is an appliance suitable to any network infrastructure, starting at 50 Mbps and
going as high as 5 Gbps. Most use several different methods of detection, including
stateful signature detection, protocol and traffic anomaly detection, backdoor detection,
IP spoofing detection, DoS detection, Layer 2 detection, rate liming, IPv6 detection and
network honeypot.

Cisco offers its Cisco IPS 4200 Sensors appliances, which come in a 1 Gbps model, a 600
Mbps model, a 250 Mbps model and an 80 Mbps model. From IBM Internet Security
Solutions comes the IBM Proventia Network Intruson Prevention System, with a 2 Gbps
version, a 1.2 Gbps version, a 400 Mbps version and two 200 Mbps versions. Juniper
Network offers its eponymously named IDP products, with a 1 Gbps appliance, a 500
Mbps appliance, a 250 Mbps appliance and a 50 Mbps appliance. McAfee’s IntruShield
Network IPS appliances come in a two 2 Gbps models, a 1 Gbps model, a 600 Mbps
model, a 200 Mbps model and a 100 Mbps model. And TippingPoint’s IPS models
include a 5 Gbps device, a 2 Gbps device, a 1.2 Gbps device, a 600 Mbps device, two
200 Mbps devices and three 50 Mbps devices.

Even though preventing known – and even unknown – network security threats is the
main function of IPS appliances, they can also be used to help satisfy rigorous regulatory
and audit requirements. Depending on the device’s reporting capabilities, it can be used
to monitor network activity.