7 Ways to Get the Most from Your IDS/IPS
Intrusion detection and prevention is at the foundation of successful security in-depth. Securing the perimeter requires a solid understanding of these two critical components.
April 23, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5926bcb2ffca308d/64f0d4ab4ff3b0c810426fe4/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
"Security in-depth" is one of the few cybersecurity phrases that has kept its relevance since its introduction. The idea is simple — a threat that evades one defender will be caught by another — but the implementation can be complicated. Two of the related pieces of that implementation are the intrusion detection system (IDS) and the intrusion prevention system (IPS). Getting the most from them will help keep a network as secure as possible.
What makes an IDS/IPS different from a firewall? And what separates an IDS from an IPS? These are common questions that have straightforward answers — in theory. The practice is a bit messier.
A firewall's actions tend to be defined by the wrappers around packets. Firewalls tend to look at source and destination addresses, protocols, and how those "carrier" components fit together and into the rules established by the administrator. The IDS and IPS focus their attention on the contents of the packet, looking for known attacks and misbehaviors, and stopping or repairing the packets based on those signature matches.
As for the difference between an IDS and an IPS, the functional difference is in the name: An IDS is a monitoring device or service, while an IPS actively permits or denies packet passage. A side effect of this difference is that an IDS monitors network traffic via span ports or taps, while an IPS is in-line with the network and, therefore, another potential point of failure for network traffic.
The "bit messier" part of all this comes courtesy of next-generation firewalls (NGFs), unified threat managers (UTMs), and other network protection devices that combine functions and blur lines between different security functions. Regardless of how they are delivered, though, the functions of an IDS/IPS should be part of any network security architecture.
So how do you get the most from your IDS or IPS? The practices listed here are the result of conversations with cybersecurity professionals, conference sessions at industry gatherings, personal experience, and Internet searches. While some practices apply to only one or the other, many apply to both.
(Image: nali VIA Adobe Stock)
Faith is a remarkable thing, but it has limited application when it comes to an IPS. Testing an IPS to make sure it's properly picking up malicious content and properly responding to the flagged packets is critical for setting the confidence level an organization has in its security. There are multiple ways to test an IPS, but each organization should choose at least one for tests performed on a regular basis; just as attackers are constantly evolving their tools, defenders must evolve, as well.
Organizations that want to conduct their own tests can start with the antimalware test file from the European Institute for Computer Anti-Virus Research (EICAR). The test file provides a set of known signatures that a malicious-file prevention (or detection) system should identify. This won't end your testing to-do list, but it can be a solid start that sets the stage for further examination.
Red-teaming is the one plus ultra of IPS and IDS testing. Can your IDS force a red team to adopt social-engineering as its only way into the organization? Can your IDS detect its activity if it succeeds at spear-phishing? Positive answers to those questions are the pen-testing result you're looking for.
Few security (or network) components fall further outside the "plug-and-play" category than an IDS/IPS. Vendors will supply signature files and, for open source options, signature and configuration files are available from the communities. But in both cases, the files from others are starting points, not fully formed configuration solutions ready to be put into the field.
When you are planning to deploy an IDS/IPS, be sure that a system to set and revise security polices are part of the plan. This can be a part of an overall security policy review or a separate review process, but the process should be regularly scheduled and rigorously followed so that the IDS/IPS doesn't become the source of a vulnerability born of false confidence.
Few security (or network) components fall further outside the "plug-and-play" category than an IDS/IPS. Vendors will supply signature files and, for open source options, signature and configuration files are available from the communities. But in both cases, the files from others are starting points, not fully formed configuration solutions ready to be put into the field.
When you are planning to deploy an IDS/IPS, be sure that a system to set and revise security polices are part of the plan. This can be a part of an overall security policy review or a separate review process, but the process should be regularly scheduled and rigorously followed so that the IDS/IPS doesn't become the source of a vulnerability born of false confidence.
"Security in-depth" is one of the few cybersecurity phrases that has kept its relevance since its introduction. The idea is simple — a threat that evades one defender will be caught by another — but the implementation can be complicated. Two of the related pieces of that implementation are the intrusion detection system (IDS) and the intrusion prevention system (IPS). Getting the most from them will help keep a network as secure as possible.
What makes an IDS/IPS different from a firewall? And what separates an IDS from an IPS? These are common questions that have straightforward answers — in theory. The practice is a bit messier.
A firewall's actions tend to be defined by the wrappers around packets. Firewalls tend to look at source and destination addresses, protocols, and how those "carrier" components fit together and into the rules established by the administrator. The IDS and IPS focus their attention on the contents of the packet, looking for known attacks and misbehaviors, and stopping or repairing the packets based on those signature matches.
As for the difference between an IDS and an IPS, the functional difference is in the name: An IDS is a monitoring device or service, while an IPS actively permits or denies packet passage. A side effect of this difference is that an IDS monitors network traffic via span ports or taps, while an IPS is in-line with the network and, therefore, another potential point of failure for network traffic.
The "bit messier" part of all this comes courtesy of next-generation firewalls (NGFs), unified threat managers (UTMs), and other network protection devices that combine functions and blur lines between different security functions. Regardless of how they are delivered, though, the functions of an IDS/IPS should be part of any network security architecture.
So how do you get the most from your IDS or IPS? The practices listed here are the result of conversations with cybersecurity professionals, conference sessions at industry gatherings, personal experience, and Internet searches. While some practices apply to only one or the other, many apply to both.
(Image: nali VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024