IDS and IPS
IDS or intrusion detection system[1] is a passive security solution which in essence just warns us if a suspicious activity has taken place and not actually prevent them. It monitors all inbound and outbound network traffic and identify any suspicious activity or patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. An IDS specifically looks for suspicious activity and events that might be the result of a virus, worm or hacker. After detecting the anomaly the IDS responds in the following ways:
- it can display an alert
- log the event
-
page the administrator IPS or intrusion prevention system[1] is the next level of security technology with the capability to provide security at all system levels from the OS kernel to data packets. It is a more active security solution as it not only detects the attacks and reports them, like the IDS, but also attempts to stop them. It not only prevents known intrusion signatures but also the unknown attacks due to its database of generic attack behaviours. Currently there are two types of IPSs that are similar in nature to IDS:
- host based intrusion prevention systems
-
network based intrusion prevention systems To improve on their current IDSs, vendors like CISCO, Alert Logic, Check point Software technologies and DeepNines [2] have modified their previous IDS product so that they provide additional functions for the user. They have tried to covert their IDSs to IPSs. An example is the CISCO Next- Generation Intrusion Prevention System (NGIPS) [3] . CISCO has added various features to their previous IDS to turn them into NGIPS, a few of these modifications include: [4]
- Network awareness: provides a knowledge of the devices that exists on the network (OS, device types, etc.)
- Application Awareness: provides the ability to pick out and highlight application that are being run on the network and the users running that are running them
- Identity awareness: provides the ability to establish and monitor the baseline behaviour of the network devices
- Real time automated response: ability to respond to events as they occur and react with the appropriate response based on policy
- Automatic IPS tuning ability for a platform to dynamically tune itself based on the information gathered. In summary an IDS simply detects a suspicious activity on a network and reports them whereas an IPS also takes measures to prevent such suspicious behaviour. We have also discussed one of many vendors (CISCO) who have improved on their current IDSs to convert them into IPSs. Many mentioned vendors have added similar functions as the NGIPS in their current IDS products to turn them into IPSs.
References
[1] retrieved from http://www.webopedia.com/DidYouKnow/Computer_Science/intrusion_detection_prevention.asp
[2] retrieved from http://jafsec.com/Intrusion-Prevention/Intrusion-Prevention-Detection-A-B.html
[3] retrieved from http://www.cisco.com/c/en/us/products/security/ngips/index.html#~tab-learnmore
[4] retrieved from http://www.tomsitpro.com/articles/intrusion-detection-intrusion-prevention-systems-ids-ips,2-959.html