IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) go hand in hand when it comes to network integrity of organizations.
The main thing that differentiates IDS from IPS is that IDS is for monitoring networks while IPS is all about control systems. IDS will detect suspicious activities on a network and send alerts, whereas IPS will prevent the packet from reaching the targeted network or system in real-time.
Although IPS is getting more powerful due to its dominant security aspects, it is still important that you’re familiar with IDS as well.
Now that we’ve some idea about IDS and IPS, let’s go into the details of characteristics of IDS and IPS:
What is Network Intrusion?
Before we get into the details of IDS and IPS, let us first learn what exactly a Network Intrusion is.
A Network Intrusion is any type of malicious, unauthenticated activity detected across a network.
Monitoring network activity provides a better understanding of common security threats and risks. IDS and IPS are systems aiming to detect and block intruders trying to install malware, steal confidential data or cause data breaches in a network.
Computer, APs and networks are prone to attacks and intrusions from anywhere across the world.
Most common network threats included (but are not limited to):
- Outdated Network Infrastructure:
Software and hardware that are unpatched and outdated are likely to be exploited by cyberattacks or ZeroDay Exploits that are in the wild.
Installing malware on a computer through disguised files or programs is a common practice by intruders. These can be in the form of malware such as Trojan horses, adware, worms, viruses, adware, spyware and ransomware.
- Data Storage devices:
Portable data storage devices such as external HDDs, USB, etc. are likely to port malware into your network by simply inserting into a computer, they will auto load onto a pc and disperse across a network
What is an Intrusion Detection System (IDS)?
An IDS does the job of monitoring your network to look for potential cyberattacks, including violation of security protocols and malicious activities. When detected, your IDS will send alerts to the system admin or centrally collect it using SIEM (Security Information and Event Management) system.
Types of Intrusion Detection Systems:
Following are the types of Intrusion Detection Systems and different detection methods used:
- NIDS (Network Intrusion Detection System):
As the name suggests, NIDS is a security system employed at strategic points across a network to monitor incoming and outgoing packets. The main objective of NIDS is to detect security threats in the contents of a packet if any. Such systems are optimal for enterprises, as it is more encompassing. It analyzes incoming traffic within an entire subnet and compares it with the database of known attacks.
- HIDS (Host Intrusion Detection System):
An HIDS is set up to monitor a single host or a device. It looks out for client activities on a PC as well as the inbound and outbound traffic. It will send alerts to the system admin if it detects unusual activity, such as a game trying to access personal files and so on.
An enterprise can employ both NIDS and HIDS for broader coverage of workstations and to spot sneaky malicious programs.
Types of IDS Techniques
Below given are two main types of IDS techniques used to detect potential threats on your network.
- Signature-Based IDS:
Signature-based IDS is a traditional mechanism that works based on a pre-programmed list of familiar malicious sequences known as “signatures”. If any such signature is detected, it triggers the alert. Such a system is similar to anti-virus software, where IDS will monitor suspicious byte sequences in network traffic, file attachments or subject lines in emails, and so on. Signature-based IDS is only effective as far as the list of known signatures is concerned. Thus, it might not be able to detect new attacks or uncommon signatures. Not to forget, the signature-based IDS also needs to scan through a huge database of known signatures, which might eat up your system bandwidth.
- Anomaly-Based IDS:
Anomaly-based IDS is based upon a model of normal or anomalous behavior across a network. Any activity that contradicts the model of normal behavior will be instantly alerted to the admin. AI and machine learning technologies play a vital role in Anomaly-based systems, as the IDS goes through a learning phase of what normal behavior is on a network. These models are trained based on particular hardware and application infrastructure. Such systems are capable of detecting new or disguised attacks.
- Reputation-based Detection:
The system recognizes potential cyber threats based on reputation scores.
What is an Intrusion Prevention System (IPS)?
IPS goes one step further of IDS and prevents the detected or future malicious attack. It does so by rejecting malicious data packets, triggering firewalls, and even dismissing a connection. Intrusion Prevention Systems are network integrity applications that log information, identifies a potentially malicious activity, reports attack attempts, and prevents them altogether.
To prevent attacks, an IPS may reconfigure a firewall or switch an attack’s package content to transform the security environment.
Just like IDS, Intrusion Prevention Systems can also be host-based or network-based.
Types of Intrusion Prevention Systems:
A well-integrated network security must have an IPS that automatically take necessary security actions when attacks occur.
- Network-based IPS (NIPS):
From the name itself we can say that NIPS monitors all packets traveling across your network. It employs the signature-based technique to give security responses. With NIPS installed, it collects information from the network and host to check for acceptable OS, applications, and hosts on the network. It can also identify changes in the model as it logs information about normal traffic. To prevent an attack, NIPS will send a TCP connection, reject a package, or restrict bandwidth usage. However, such systems are not able to detect encrypted traffic and handle increased traffic loads.
- Network Behavior Analysis (NBA):
Unlike NIBS, NBA is anomaly-based and it detects deviations by learning the network’s “normal behavior”. It covers the entire network and operates similar to NIBS. In addition to anomalies, it also uses “Stateful Protocol Analysis” where there’s no learning phase, as the normal form is already pre-programmed by the vendor.
- Wireless-based Intrusion Prevention Systems (WIPS):
WIPS is a popular solution for complex network monitoring challenges. WIPS are generally employed as an overlay to your current Wireless LAN configuration. ‘Overlay monitoring’ is to inspect devices operating near APs to detect radio spectrum, but they can also be implemented as stand-alone systems. Moreover, a few advanced wireless infrastructure features ‘Integrated Monitoring’ capabilities using APs (Access Points). Both these techniques are together termed as hybrid monitoring. In conclusion, a good WIPS can ward off misconfigured APs, honeypot, DDOS, MAC spoofing, and man-in-the-middle attacks as well.
- Host-based IPS:
HIPS monitors and operates on a single host, hence providing constrained coverage. It detects malicious activity by scrutinizing code behavior. It is able to prevent encrypted attacks and safeguard information from getting stolen from the host such as PII (Personally Identifiable Information) or PHI (Protected Health Information).
Types of IPS techniques: How does IPS work?
IPS runs and operates in a network by monitoring flowing traffic through the following techniques:
- Signature-based detection:
Signature-based IPS scans packets within a network and match them with the predetermined malicious patterns known as ‘signatures’.
- Statistical anomaly-based detection:
Anomaly-based IPS detection is all about monitoring traffic and comparing it with a model of a network’s normal behavior.
- Stateful protocol analysis detection:
This technique compares detected events with pre-determined profiles of acceptable benign activities. With this, it identifies whether there are any deviations in protocol states.
Using these techniques, IPS scrutinizes every incoming and outgoing packet in real-time across the network. If it detects any abnormal activity, it will perform either of the below-given steps:
- Dismiss the TCP session that was attacked
- Reconfigure the firewall to prevent similar attacks in the future
- Destroy infected files or repackage the payload in order to replace or remove the malicious content left behind after an attack.
- Block intruding IP addresses from accessing any network resource or host.
With dominant IPS in the network, one can prevent a wide range of potential attacks including brute force attacks, DDOS (Distributed Denial of service), computer virus, worms, exploit, and so on.
Difference between IDS and IPS:
The main difference between both systems is that IDS is a monitoring system while IPS is more like a comprehensive control system.
- Both the systems analyze packet contents for comparison with baseline, but IDS does not change the network packets.
- IDS can identify intrusions but requires human or system intervention to look at the final results and take further actions.
- Since IDS is not inline, network traffic is not bound to go through it. But with IPS, it has to flow through it.
- False positives for IPS might cause loss of important functions or information. But false positives for IDS will only trigger alerts and nothing more.
Why do you need IDS and IPS?
IT security teams face myriads of security challenges including data leaks, data breaches and even hefty compliance fines. With a powerful IDS and IPS in place, organizations can empower their security integrity.
A well-configured IDS and IPS are automated and will enhance your network security without having to hire an additional workforce.
Security standards must be met in order to show that you’ve invested in proper technologies to prevent the company’s and customers’ sensitive information. Employing IDS and IPS will help you comply with industry standards and address various CIS security controls.
- Policy enforcement:
IDS and IPS can be configured to meet with your internal information security policies across a network.