Security Analysts are plagued with hackers potentially compromising their network and infrastructure. This is the main reason that IDS and IPS were created, to help assist with the hunt for intruders. Like the names say IDS is Intrusion Detection System, and IPS is Intrusion Prevention System, I will be going into more detail on what each is and how you can set one up. We have to define each one and give the benefits.
An Intrusion Detection System (IDS), that will monitor network and packet instances and notify an security engineer/analyst to help with an incident it finds suspicious. Its a great tool for security engineers/analysts who want to have the best visibility into their network as they can. This can provide better detection than standard Antiviruses (which only detect virus definitions), and even firewalls (which only focus on packets). These are extremely useful for detecting anomalies in your network. IDS still focus on packets, but will assist in notifying engineers of when, where, and how an incident is happening.
An Intrusion Prevention System (IPS), is monitoring and preventing intruders from accessing your system further. It can assist in stopping the bad guys from accessing your networked servers and devices. It does everything an IDS can do but it can actually stop people from further access.
With that said, you have to keep in mind that an IDS and IPS are difficult to build, maintain, and configure. Once configured you will have to continually update and monitor the system for health. The only other issues you may run into is false positives.
A False Positive is an alert on something that should not been alerted on. Did you know more squirrels set off home camera alarms than burglars do? That is what I’d consider a false positive. Another way to think about it, is that it is a false alarm. But how does this affect IDS and IPS?
Think about this, if you get an alarm on an IDS at 3am, you clumsily stumble to your computer and in your hazy wakefulness verify a false positive. You then tweak your configuration and (always send out an email update) then go back to bed. However if you get a false positive on an IPS, you could have users kicked out of the system or could have other catastrophic issues.
So while IPS and IDS sound great there is a lot to consider. They can help get your organization’s security network visibility and can take you from a mom and pop shop to an enterprise level security system.
-Dave (Cyberdad)
The Cyber Dudes 