“Security in depth” is one of the few expressions of cybersecurity that has remained relevant since its introduction. The idea is simple – a threat that escapes one defender will be caught by another – but implementation can be complicated. Two of the related elements of this implementation are the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Getting the most out of them will help keep a network as secure as possible.
What makes an IDS / IPS different from a firewall? And what separates an IDS from an IPS? These are common questions that have simple answers – in theory. The practice is a bit more complicated.
The actions of a firewall tend to be defined by the envelopes around the packets. Firewalls tend to look at source and destination addresses, protocols, and how these “carrier” components fit into each other and into rules set by the administrator. IDS and IPS focus their attention on the contents of the packet, looking for known attacks and bad behavior, and stopping or repairing packets based on these signature matches.
As for the difference between an IDS and an IPS, the functional difference is in the name: an IDS is a monitoring device or service, while an IPS actively allows or denies the passage of packets. A side effect of this difference is that an IDS monitors network traffic through span ports or taps, while an IPS is online with the network and, therefore, another potential point of failure for network traffic.
The “slightly more complicated” part of it all comes from Next Generation Firewalls (NGF), Unified Threat Managers (UTM) and other network protection devices that combine functions and scramble the lines between different functions. of security. However they are provided, the functions of an IDS / IPS must be part of any network security architecture.
So how do you get the most out of your IDS or IPS? The practices listed here are the result of conversations with cybersecurity professionals, conference sessions at industry gatherings, personal experiences, and internet research. While some practices only apply to one or the other, many apply to both.
(Image: nali VIA Adobe Stock)