Intrusion detection and prevention systems: IDS IPS overview
Intrusion detection systems and intrusion prevention systems go hand in hand, so much so that their respective acronyms are often mashed together (i.e. IDS IPS, IDPS, etc.).
Whereas intrusion detection systems monitor a network for active or imminent security policy violations, intrusion prevention goes a step further to stop such violations from occurring. So you cannot have IPS without IDS.
Several varieties of intrusion detection systems are available. We review four of the most common below:
- Network-based intrusion detection system (NIPS, IDS IPS)
- Network behavior analysis (NBA)
- Wireless intrusion prevention system (WIPS)
- Host-based intrusion prevention system (HIPS)
Network-based intrusion prevention systems (NIPS, IDS IPS)
NIPS detect and prevent malicious activity by analyzing protocol packets throughout the entire network. They are often referred to as IDS IPS or intrusion detection and prevention systems.
Once installed, NIPS gather information from a host console and network to identify permitted hosts, applications, and operating systems commonly used throughout the network. They also log information on characteristics of normal network traffic to identify any suspicious changes to a network.
NIPS can prevent attacks in a variety of ways, such as ending a TCP connection to prevent an attack, limiting bandwidth usage, or even rejecting suspicious network activity. Today’s NIPS are even capable of commanding firewalls and routers to block suspicious activity. NIPS do not typically analyze encrypted network traffic, handle high traffic loads, or handle direct attacks against IDS IPS.
NIPS primarily use signature-based detection to identify threats. Signature-based detection looks for patterns or signatures of previously recognized threats in order to identify potential new threats.
AccessEnforcer, the UTM firewall from Calyptix, incudes IDS IPS as part of standard service for all models.
Network behavior analysis (NBA)
NBA sensors and programs examine network traffic to identify security threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware and policy violations. NBA detection primarily involves the following two methods:
- Anomaly-based detection looks for deviations from what is known as “normal” behavior in system or network activity. Upon initiation, anomaly-based detection requires a training period in which a profile for what is considered normal behavior is constructed over a period of time. Inconsistencies with that profile are flagged as malicious.
Anomaly based detection is outstanding for identifying new threats, but issues can arise if the network is compromised during the training period, as malicious behavior might be logged as normal while a profile is being generated. Additionally, anomaly-based detection also produces many false positives due to benign activity that wasn’t recognized during the initial training period.
- Stateful protocol analysis detection is similar to anomaly-based detection in that it looks for deviations from normal network or system behavior. The baseline of normal behavior is outlined in universal vendor-created profiles. Stateful protocol analysis is designed to differentiate between benign and suspicious activity in authenticated and unauthenticated states.
With NBA, thresholds for suspicious activity are automatically updated on an ongoing basis, and can also be set manually. An NBA system should be used as an extension of NIPS or IDS IPS in order to provide layered protection.
AccessEnforcer, the network firewall from Calyptix, includes network-based stateful protocol analysis as part of the standard service given to all customers.
Wireless intrusion prevention systems (WIPS)
WIPS analyze the radio spectrum throughout a wireless network to detect and report intrusion, network policy violations, and unauthorized use. WIPS can be implemented in three primary ways:
- Overlay monitoring. Wireless sensors are placed throughout the physical realm of the network (i.e. hallways, closets, ceilings) to provide connectivity to the network and network monitoring.
- Integrated monitoring. Existing access point consoles are used to provide security and connectivity instead of wireless sensors.
- Hybrid monitoring. Both sensors and AP consoles are used for monitoring and connectivity.
WIPS can collect information on devices connected to the network, and are very effective at detecting and preventing a variety of malicious events, including rogue access points, DoS attacks, unauthorized access, ad hoc networks, spoofing, and man-in-the-middle attacks. They can even terminate connectivity when a threat is detected.
However, overlay and integrated monitoring each have unique limitations, which is why most organizations today use hybrid WIPS for comprehensive monitoring.
For example, an integrated monitoring console can be a single point-of-failure, and can’t scan extended channels like overlay monitors. While overlay monitors are specially designed with such a “channel hopping” capability, they’re not ideal for monitoring a single channel at all times.
Host-based intrusion prevention system (HIPS)
Host-based intrusion prevention systems, or HIPS, analyze activity within a single host to detect and prevent malicious activity. HIPS primarily analyze code behavior, using both signature and anomaly-based detection methods to detect suspicious activity. They are often lauded for preventing attacks that leverage encryption.
HIPS can also prevent access to sensitive information located on the host, thus preventing any potential damage caused by rootkits or Trojan horses. Lastly, HIPS can prevent the host machine from processing malicious activity on a network. Since HIPS provides security only to a single host machine or server, it’s best used alongside IDS IPS and WIPS to provide complete threat management throughout a network.
Any UTM firewall should include IPS IDS with standard service, combining it with email filtering, web filtering, VPN, and additional features to keep your network secure and efficient. AccessEnforcer from Calyptix gives you these features and more with nothing extra to buy.