IDS vs. IPS: Two Separate Yet Essential Security Measures for Modern Business

Senior Manager, Product Marketing

What is the best threat management system for a business network? It’s a difficult question to answer, because the truth is that threat management isn’t about finding a single solution to every problem; it’s about layering multiple solutions in a way that offers the best protection against a variety of threats.

When it comes to protecting business networks, a single line of security simply is not enough. Layered security takes advantage of multiple security tools, each designed to defend against a specific kind of attack. Layered security works similarly to having multiple walls or fences surrounding a building, rather than relying on a single gate to deter intrusion. If an attack breaches the perimeter defense, then there are still secondary, tertiary and other defenses in place.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are two such defenses. Each of the two solutions rely on similar technologies, but each fills a different function, maintains different placement in the network and defends against different kinds of attacks. To better understand this relationship, let’s review the specifics of IDS and IPS systems.

What Is IPS?

In keeping with the metaphor of the network as a building, an IPS is something like a security guard. It’s an active, in-network presence designed to prevent incoming attacks and stop attacks in progress. The security guard doesn’t do much to keep intruders out, but in the event that they find their way inside, the security guard has the power to stop them from doing further damage.

The IPS sits behind the firewall, directly in the communication path of any data attempting access, also known as “in-line.” As an inline intrusion detection tool, an effective IPS solution checks all incoming traffic against known security threats. It does this through a variety of mechanisms, but the two most widely used methods are statistical anomaly-based detection and signature-based detection.

Statistical anomaly based detection allows prevention systems to take a sample of current network traffic, and then compare it against a predetermined “normal” traffic baseline. To do this, the IPS must be able to establish a behavior profile for the network from which to develop a set of standard operating parameters. When incoming traffic deviates from these parameters, the system takes this as evidence of a possible attacks and responds accordingly.

Alternatively, signature based detection relies on being able to identify malicious traffic by its unique code. To do this, IPS tools keep and maintain an ever-growing database of code exploits. As known exploits breach the outer defenses, the IPS recognizes them from its database and moves to eliminate them. When the IPS encounters new exploits, it records them for future identification.

Unfortunately, both of these methodologies face the danger of false positives. Signature-based detection that incorporates vulnerability-facing signatures allows for better protection even against unknown exploits, but at an increased risk of misidentifying benign traffic as malicious. Likewise, anomaly-based detection only looks for variations in traffic, leaving little room for legitimate variations. In either case, the end result is a loss of potentially beneficial traffic.

Of course, the IPS is just one layer, and preventing threats is just one part of the equation. Detecting threats falls to the responsibility of IDS tools.

What Is IDS?

If IPS is the security guard that takes action against incoming threats, an intrusion detection system (IDS) could be thought of as a building’s security system. The IDS is a passive security measure. A security alarm can alert security personnel to a threat, but it cannot take direct action against the threat itself. Likewise, IDS is limited to identifying possible cyber attacks, rather than preventing them.

 To detect these threats, the IDS does not need to have an in-network presence, meaning it does not sit in the path of incoming data. Instead, IDS tools reside outside the network in an out-of-band, independent data channel. As such, these systems don’t need real-time access to data; instead, they review copies of incoming data using an external monitoring device called a network test access point (tap).

Through the tap, the IDS can examine mirrored data packets from many different points within the network. Data copies are compared to a library of known threats. The goal is to correctly identify malicious traffic before it can proceed further into the network.

IDS gives security engineers the power to look deep into the network without impeding the flow of network traffic. Properly used, IDS tools can help guard against a variety of threats, including policy violations, information leaks, configuration errors and unauthorized clients, servers and applications. This is all in addition to protecting against traditional viruses and Trojan-horse attacks.

However, there are some drawbacks to IDS systems. As the IDS uses data copies, never actually coming into contact with the original network data, it is incapable of taking direct action against threats. Instead, as the IDS identifies malicious traffic, it logs the incident and sends an alert to the network administrator. It then becomes the administrator’s responsibility to take action against the threat.

If attackers are fast enough, or if administrators don’t have the requisite experience handling the threat in question, the IDS can do very little to actually prevent damage to the network.

IDS vs. IPS?

With IDS and IPS explained as two different layers of network security — rather than as complete, end-all security solutions in and of themselves — it hardly makes sense to try to determine which is the better option. In reality, the most effective solutions are those that incorporate multiple layers into a single, comprehensive security resolution. This approach is known as unified threat management (UTM).

UTM is closely associated with IDS, but integrates multiple security features. UTMs expand upon the more traditional firewall approaches to network safety. By incorporating both intrusion prevention and intrusion detection, along with other security functions, into a single, unified appliance, UTM tools allow for improved security flexibility at reduced costs.  

Rather than having to purchase and maintain multiple boxes at different points throughout the network, organizations can deploy a UTM solution to handle their entire network security. Effective UTM devices operate inline, and are capable of filtering, analyzing and reporting, along with load balancing and intrusion prevention. UTM solutions are designed with simplicity in mind and sometimes are not complex enough to handle certain complicated threats. At the same time, if the device fails or requires any sort of extensive maintenance, then the link will need to be disconnected, resulting in potentially damaging network downtime.

Gigamon Optimizes Network Security

IDS, IPS and even UTM solutions all have their drawbacks, but with the right tools, those drawbacks can be overlooked. As modern threat management systems adapt to combat the dangers of malicious data in motion across networks, it’s becoming clear that current solutions are simply not enough. Gigamon can change all of that.

Gigamon works with existing threat management tools. Rather than taking those tools back to the drawing board, Gigamon optimizes their capabilities, shoring up weaknesses while offering improved visibility of all incoming network traffic. In short, Gigamon makes it possible to turn every layer of an effective threat management system into an exceptional one.

What is the best threat management system for a business network? Simple: one that incorporates IDS and IPS solutions, and that has been optimized for deep visibility and superior protection, courtesy of Gigamon.