IDS / IPS (Intrusion Detection and Prevention System) are software or hardware intrusion detection and prevention systems that provide network and computer security. An IDS is a passive detection system that analyzes all traffic in real-time and reports possible threats if necessary. It does not modify network data packets in any way and does not affect the network infrastructure, while IPS is able to prevent the delivery of packages in the same way as a firewall does.
As an intrusion prevention system, IPS also aims to analyze traffic constantly, but it has more power – if necessary, it can reject packages if system analysis detects a threat. And it uses an up-to-date signature database to detect threats, so regular updates are recommended to ensure that the system performs its functions properly.
IDS is only able to detect a threat and notify the administrator of this event, and further action is up to him. The detection system can work:
Let's take a closer look at each of them.
NIDS provides the ability to install the system at strategic network nodes to analyze inbound and outbound traffic for all devices. NIDS is extremely efficient because it analyzes literally every data package, from the data link layer to the application layer. Unlike standard firewalls and firewalls, NIDS can detect insider threats.
The disadvantage of the technology is "voraciousness" - the system analyzes all traffic at all, but it requires a lot of CPU and RAM processing power. For this reason, the use of NIDS at the corporate network infrastructure level can lead to tangible delays in data exchange.
Host-based systems, unlike network-based systems, are installed "point-by-point" on each individual host within a network, allowing selective protection for nodes vulnerable to attack. HIDS can also analyze inbound and outbound traffic but does so more locally for a single device.
HIDS is recommended for deployment on the network's mission-critical machines to prevent threats. This technology consumes significantly fewer resources when working, but it requires experience and a deep understanding of the specifics of particular network infrastructure to properly select target hosts for HIDS.
Generally speaking, the fundamental principle of all such systems is that threats are identified through analysis of incoming and outgoing traffic. However, the analysis process itself may differ. There are three types of IDS according to the analysis mechanism:
UTM is a universal package of utilities that contains several small protection modules, from email filters and proxy servers to VPN and IDS. In essence, it is a package that guarantees multi-level threat tracking and elimination.
This is already a next-generation firewall, which has been rapidly gaining popularity in recent years. NGFW is a network security platform that includes, apart from the firewall itself, a traditional firewall with additional filtering capabilities.
As for DPI, it is a deep packet analysis technology that allows you to intercept packets containing threats.
When deploying on an IPS or IDS server, the question arises as to which nodes make the most sense. The answer to this question depends on what type of system you have. If it is PIDS, there is no sense to install it before the firewall because its functions are duplicated. NGFW, on the other hand, is universal and can be installed at any level.
It makes sense to place the intrusion detection system on a shared hosting site in front of the firewall on the internal side of the network – in this case, the software will analyze only the traffic allowed by the firewall. Accordingly, it will reduce the load on the system and increase the performance of the network infrastructure.
A common scenario is to deploy IDS at the outer edge of the network protection, after the firewall. In this case, the system will cut off all unnecessary noise coming from external networks. And, in addition, it will provide protection against mapping. In this infrastructure design, the system will monitor network layers 4 to 7, which will therefore be the other signature type, minimizing the probability of false positives.