Imagine, for a moment, that your IT environment is the Death Star. You know the rebels will try to rescue Princess Leia. If you’re Darth Vader, you need systems that detect Luke and Chewbacca when they gain unauthorized access and systems that prevent them from accessing the Death Star.
As a security analyst, you have varied technologies that detect and prevent malicious actors from gaining unauthorized access to your networks. Your Intrusion Detection System (IDS) detects and alerts you to the digital Luke trying to hide in your system. Your intrusion Prevention System (IPS) locks down access when it identifies suspicious activity to keep Luke from even boarding the Death Star in the first place.
When you understand what IDS and IPS tools do, you can incorporate them into your network monitoring technology stack to improve network security.
What are Intrusion Detection Systems (IDS)?
An Intrusion Detection System (IDS) monitors network traffic and events to detect behavior linked to known attack patterns, vulnerabilities, or abnormal activity. IDS tools analyze:
- Network packets
- Logs
- System events
IDS tools can engage in two types of analyses:
- Signature-based: using a list of known malicious behavior
- Anomaly-based: understanding normal behavior on a network and looking for abnormal activity, like attacks using previously unknown vulnerabilities
IDS tools typically fall into one of the following categories:
- Network-based IDS (NIDS): installed on the network to examine incoming and outgoing traffic for protocols, traffic patterns, and packet headers.
- Host-based IDS (HIDS): installed on machines or servers to examine system logs and files related to unauthorized access or system modifications
- Perimeter IDS (PIDS): installed on the network to detect issues at the critical infrastructure’s perimeter
- Virtual machine-based IDS (VMIDS): monitoring virtual machines for issues across connections to devices and systems
- Hybrid: host- and network-based monitoring for more comprehensive coverage
An IDS provides the following benefits:
- Threat detection: proactive, early detection of potential threats
- Visibility: insights into real-time network activity
- Incident investigation: data for forensic analysts after a security incident
- Compliance: monitoring required by regulations and industry standards frameworks
- Downtime reduction: rapid detection and response limits a security incident’s impact on business operations
Despite their benefits, IDS tools have the following limitations:
- False positives/negatives: lacking the context necessary to determine whether the abnormal behavior is acceptable or dangerous
- High data volumes: inability to differentiate benign from malicious traffic with noisy packet data
- Reactive technology: alerts detect attacks rather than preventing them
- Threat actor evasion techniques: bypassing protections with tactics like distributed denial of service, spoofing, fragmentation, and other methodologies
What are Intrusion Prevention Systems (IPS)?
An Intrusion Prevention System (IPS) monitors network traffic and events to detect suspicious activities and then actively blocks and defuses potential threats.
IPS tools can engage in one or more of the following analyses:
- Signature-based: using a list of known threat characteristics or behaviors
- Anomaly-based: looking for anomalies in network traffic, like processes using too much bandwidth
- Policy-based: identifying activity that violates a firewall’s security policy
IPS tools typically fall into one of four categories:
- Network-based IPS (NIPS): installed on the network to inspect and monitor inbound and outbound packets
- Host-based IPS (HIPS): installed on a device to monitor traffic to and from the device
- Network behavior analysis (NBA): anomaly-based detection for monitoring network communications, like ports used and source/destination IP addresses
- Wireless IPS (WIPS): monitoring WIFI network for suspicious activity or misconfigurations
An IPS provides the following additional benefits beyond the ones that an IDS offers:
- Threat prevention: blocking or terminating risky connections
- Improved network security: mitigating risks like unauthorized network access, network misconfigurations, or packets containing malicious data
Despite their benefits, IPS tools have the following limitations:
- Service disruption: false positives blocking legitimate traffic
- Reduced network performance: degraded user experience and slower speeds when inspecting traffic
- Maintenance: operational costs from updating signatures
What are the differences between IDS and IPS?
In many ways, IDS and IP seem the same. They can both:
- Monitor traffic and packets
- Alert security teams to potential incidents
- Leverage artificial intelligence (AI) and machine learning (ML)
However, since they service different purposes, they come with different capabilities.
Purpose
The most fundamental difference is the function that the tools serve in your cybersecurity technology stack:
- IDS: reactively identify intrusions and alert security teams
- IPS: proactively stop intrusions, take automated actions, and alert security teams
All the differences between the tools flow down from what they hope to achieve as part of your cybersecurity program.
Functionality
Since they perform different roles, they function differently. In turn, they have different effects on your networks:
- IDS: passively monitor data flows to detect threats and send alerts
- IPS: actively inspect network packets to take preventative action
While the IPS takes proactive mitigation steps, its functionality degrades network performance. Meanwhile, the IDS has less impact on performance but only provides an “after the fact” capabilities.
Deployment
Although every organization is different, most deploy the tools in similar locations:
- IDS: key network perimeter points, often behind the firewall, to reduce load and focus on internal threats
- IPS: network edge to limit network performance impact
Business Impact
Driving down further, their different objectives relate directly to how false positives impact your organization:
- IDS: adding to alert fatigue and possibly overlooking an important detection
- IPS: unnecessarily shutting down network connectivity and interrupting business operations
Additionally, the IPS’s proactive mitigation may cause an increase in IT help desk calls as people have no access to applications or services.
Do you still need IDS and IPS?
IDS and IPS are strategic network monitoring tools that should be part of your overall network security technology stack. However, relying solely on them will not provide the robust security you need to protect cloud-based assets.
To manage network and application security, you should have at least the following tools:
- Firewalls: managing the allowed inbound and outbound network communications
- Web Application Firewalls (WAF): filtering, monitoring, and blocking traffic between applications and the public internet
- Encryption: making data-at-rest and data-in-transit unusable if intercepted by malicious actors
- Virtual Private Network (VPN): providing access controls and encryption to secure remote workers
- API Security: identifying and monitoring application programming interfaces (APIs) that allow applications to communicate and share data
Graylog Security: Risk-based Event Triage for Reducing Alert Fatigue
The biggest problem security teams face when using IDS and IPS tools is the impact that false positives have on their ability to prioritize investigations. Graylog Security prioritizes risk from an asset perspective. Instead of worrying that every IDS alert means you need to investigate the incident, Graylog Security considers all alerts related to an asset to help you manage the nuances related to risk. With context, you can investigate the most important alerts and respond to incidents faster.
To see how Graylog Security can improve your threat detection and incident response capabilities, contact us for a demo today.