informa
/
/
Announcements
Event
Cyber Threats, Cyber Vulnerabilities: Assessing Your Attack Surface | Dark Reading Virtual Event | <REGISTER NOW>
PreviousNext
Vulnerabilities/Threats
Slideshow

7 Ways to Get the Most from Your IDS/IPS

Intrusion detection and prevention is at the foundation of successful security in-depth. Securing the perimeter requires a solid understanding of these two critical components.
Curtis Franklin
Security Editor
April 23, 2019
IDS, IPS, or Both?
Plan for Failure
Test the IPS
Count Your Ports
Tune for Best Traffic
Build a Solid Update Program
Sync to Good Policies
1/7

"Security in-depth" is one of the few cybersecurity phrases that has kept its relevance since its introduction. The idea is simple — a threat that evades one defender will be caught by another — but the implementation can be complicated. Two of the related pieces of that implementation are the intrusion detection system (IDS) and the intrusion prevention system (IPS). Getting the most from them will help keep a network as secure as possible.

What makes an IDS/IPS different from a firewall? And what separates an IDS from an IPS? These are common questions that have straightforward answers — in theory. The practice is a bit messier.

A firewall's actions tend to be defined by the wrappers around packets. Firewalls tend to look at source and destination addresses, protocols, and how those "carrier" components fit together and into the rules established by the administrator. The IDS and IPS focus their attention on the contents of the packet, looking for known attacks and misbehaviors, and stopping or repairing the packets based on those signature matches.

As for the difference between an IDS and an IPS, the functional difference is in the name: An IDS is a monitoring device or service, while an IPS actively permits or denies packet passage. A side effect of this difference is that an IDS monitors network traffic via span ports or taps, while an IPS is in-line with the network and, therefore, another potential point of failure for network traffic.

The "bit messier" part of all this comes courtesy of next-generation firewalls (NGFs), unified threat managers (UTMs), and other network protection devices that combine functions and blur lines between different security functions. Regardless of how they are delivered, though, the functions of an IDS/IPS should be part of any network security architecture.

So how do you get the most from your IDS or IPS? The practices listed here are the result of conversations with cybersecurity professionals, conference sessions at industry gatherings, personal experience, and Internet searches. While some practices apply to only one or the other, many apply to both.  

(Image: nali VIA Adobe Stock)

 
Next slide
Recommended Reading:
Editors' Choice
10 Recent Examples of How Insider Threats Can Cause Big Breaches and Damage
Ericka Chickowski, Contributing Writer
Windows 11 Available: What Security Pros Should Know
Kelly Sheridan, Senior Editor
Top 5 Skills Modern SOC Teams Need to Succeed
Jack Naglieri, CEO and Founder, Panther Labs
The New Security Basics: 10 Most Common Defensive Actions
Robert Lemos, Contributing Writer