Intrusion detection or intrusion prevention system (IDS / IPS) is a security solution that monitors a network or a network component such as a server or a switch and attempts to detect rule violations and harmful incidents such as hacker attacks, which are then partially averted automatically. We show how IDS and IPS differ and who the major vendors are.
Intrusion detection and prevention systems
When an intrusion detection and prevention system (IDPS) finds suspicious activity, it immediately reports it to the appropriate staff and also records it in its database. Typically, intrusion protection and intrusion detection systems also work in conjunction with security information and event management (SIEM) solutions, which we’ve already taken a closer look at.
The difference between intrusion protection and an intrusion detection system is that the intrusion detection system (IDS) is content to detect and report suspicious incidents, while the intrusion protection system (IPS) additionally attempts to take countermeasures to protect the network. This works, for example, with IPS integrated into UTM solutions – which we’ve covered in detail here – by changing firewall rules, which then prohibit suspicious network stations from accessing corporate resources.
There are a large number of different IDS/IPS solutions, from host IDS products that keep an eye on individual machines to hierarchical systems that can monitor large networks. In practice, a distinction is therefore made between “Host Based Intrusion Detection Systems” (HIPS) and “Network Intrusion Detection Systems” (NIPS). HIPS typically checks whether someone is trying to compromise important operating system files on a machine, while NIPS analyze network traffic. This paper focuses on NIPS products.
IDS/IPS products typically work with either signature, which help them detect “bad” patterns, such as malware, in data transmissions, or anomaly detection. In this “anomaly-based detection,” managers first create a model for “good” traffic as it occurs in daily network operations, and the IDS then detects when the pattern of data transfers deviates from this ideal model. Often, behavioral analysis, threat intelligence, and the like are also used to detect threats.
More about Network Intrusion Detection Systems (NIPS)
NIPS usually work as an appliance and run at points in the network where they can keep an eye on as many or as particularly important data transmissions as possible. If they detect an attack – either via their signatures or via changes in the pattern of the transmitted information – they send an alarm message to the responsible employees and – depending on the type of attack – take countermeasures.
Many vendors, such as Alert Logic, NSFOCUS, Vectra Networks, and McAfee, now offer their products as virtual appliances. McAfee even has a solution in its portfolio that specifically addresses VMware NSX installations. Often, IPS functionalities are also integrated into other security appliances; in addition to next-generation firewalls, these are usually the UTM products already mentioned.
However, there are definitely scenarios in which the use of stand-alone IPS appliances makes sense, for example as an additional line of defense after the firewall, in environments in which several different security products from different manufacturers are to be used in parallel, in networks in which IT security teams have different tasks, or behind load balancers. In some cases, IPS installations even make sense in intranets, which only keep an eye on internal traffic and look for suspicious data transfers there.
In recent years, cloud environments have been added to the aforementioned areas of application for NIPS solutions. In this area, in addition to McAfee’s solutions, Alert Logic’s products play a particularly important role and are also said to be very easy to use. Incidentally, the same applies to Trend Micro’s solutions, which also offer high throughput.
Types of NIPS
There are two different types of NIPS. On-line NIPS monitor the network in real-time and therefore need to be powerful enough to do so. Off-line NIPS analyze stored data and determine if any problems occurred during its transmission.
While signature-based NIPS work similarly to antivirus solutions and essentially only need to be kept up to date, the configuration of a NIPS that detects anomalies is somewhat more complex. Originally, these products were designed to detect yet unknown attack patterns, something a signature-based solution cannot do.
Typically, administrators install these NIPS on the network and let them observe network traffic for some time, so they can use machine learning functions (machine learning is used in Vectra Networks’ products, among others) to identify which data transmissions are normal, for example. As soon as enough information is available, the system is then “armed” and generates alarms or takes countermeasures in the event of unusual occurrences.
Solutions that recognize anomalies are superior to signature-based products in that they can also defend against previously unknown attacks. However, this capability comes at a price. For example, IT staff must update the network model used by their IPS every time a network change is made, i.e., when new applications are installed, new components are added, and sometimes even after updates have been applied, in order for it to function reliably.
In addition, such systems are prone to false positives, as they usually also become previously unknown legitimate data transmissions as an attack. Moreover, there is an additional risk that when the aforementioned products are newly deployed in a network that has already been infected, they may consider malicious actions as normal if they included them in their default model during their learning phase and no one noticed.
Different NIPS in practice
If a company wants to choose an IPS solution, it must clarify in advance exactly what resources are available and what requirements must be met. Cisco’s products, for example, are very powerful and can be used as both an analysis and an investigation tool. In addition, many certified maintenance technicians are available worldwide, so that the solutions can be quickly put back into operation in the event of failures. However, all of this comes at a price. On the other side of the scale are Hillstone Networks’ products, which offer good value for money.
FireEye’s products are particularly good at detecting known and unknown exploits. They are supported in their work by a large research team, which enables them to respond quickly to new threats.
Another very important feature is the ability to clearly visualize the collected data and provide a powerful search function that allows administrators to quickly and easily extract information from the threat intelligence database. When it comes to this feature, solutions from NSFOCUS, among others, do well.
Key market players
Gartner ranks Hillstone Networks and Venustech as “Niche Players” in the 2018 IDPS networking solutions market. “Challengers” are Alert Logic, FireEye, and NSFOCUS, while Vectra Networks is the only “Visionary.” Cisco, McAfee, and Trend Micro are considered “Leaders.”
Conclusion
Network intrusion protection systems provide IT, managers, with an additional layer of protection for their infrastructures. They ensure that attack attempts and unwanted data transmissions are quickly reported and, ideally, prevented. Which type of NIPS is ultimately used, however, depends on the size and architecture of the network concerned, as well as the requirements of the IT department and management in terms of the product’s functions.
