Network administrators need to employ tools to protect their network and prevent malicious actors from gaining access. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are categories of tools commonly used for this purpose. It’s important to know the difference between them, which are best for certain types of organizations, and how to maximize their effectiveness. Show
In this article, we’ll go over the differences between the two systems to help you decide which is best for your organization. Basic overview: IDS vs. IPSAn intrusion detection system is more of an alerting system that lets an organization know if anomalous or malicious activity is detected. An intrusion prevention system takes this detection a step forward and shuts down the network before access can be gained or to prevent further movement in a network. What is an IDS? Five types and their functionsAn IDS monitors and detects behavior across a network and should be considered a diagnostic solution. The system, if it detects something problematic, will alert the security team so they can investigate. The five types of IDS leverage two types of detections:
This kind of system often looks for indicators of compromise such as scanning file hashes, traffic going to known malicious domains, malicious byte sequences, and even email subject lines that are known phishing attacks.
Anomaly-based detection is often looking for behavior that differs from an established baseline. For example, if you have set normal working hours for employees, an anomaly-based IDS may flag a login occurring over the weekend. The system may also alert you based on the amount of traffic connecting to your network, or new devices being added without the right authorization. IDS types vary based on where they’re monitoring threats and how they’re detecting them. 1. Network intrusion detection systems (NIDS)A network intrusion detection system will monitor traffic through various sensors — placed either via hardware or software — on the network itself. The system will then monitor all traffic going through devices across the multiple sensor points. 2. Host intrusion detection systems (HIDS)A HIDS is placed directly on devices to monitor traffic, giving network administrators a bit more control and flexibility. However, this can become burdensome depending on the organization’s size. If an organization is only leveraging HIDS, the company would have to account for every new device added within the organization, leaving room for error while also taking up a lot of time. 3. Protocol-based intrusion detection systems (PIDS)A protocol-based IDS is often placed at the front of a server and monitors traffic flowing to and from devices. This is leveraged to secure users browsing the internet. 4. Application protocol-based intrusion detection systems (APIDS)An APIDS is similar to a protocol-based system but monitors traffic across a group of servers. This is often leveraged on specific application protocols to specifically monitor activity, helping network administrators better segment and classify their network monitoring activities. 5. Hybrid intrusion detection systemsHybrid IDS solutions provide a combination of the above types of intrusion detection. Some vendors' offerings cross multiple categories of IDS to cover multiple systems in one interface. What is an IPS? Four types and how they workAn IPS has the same functionality as IDS systems in terms of detection but also contains response capabilities. An IPS solution has more agency and takes action when a potential attack, malicious behavior, or an unauthorized user is detected. The specific functions of an IPS depend on the type of solution, but in general, having an IPS in place is helpful to automate actions and contain threats without the need for an administrator. 1. Network-based intrusion prevention system (NIPS)A NIPS monitors and protects an entire network from anomalous or suspicious behavior. This is a broad-based system that can be integrated with additional monitoring tools to help provide a comprehensive view of an organization’s network. 2. Wireless intrusion prevention system (WIPS)WIPS are also quite common, often monitoring any wireless networks owned by an organization. This type is similar to a NIPS but is localized to wireless networks for a more targeted detection and response. 3. Host-based intrusion prevention system (HIPS)HIPS are often deployed on key devices or hosts that an organization needs to secure. The system will then monitor all traffic flowing through and from the host to detect malicious behavior. 4. Network behavioral analysis (NBA)As opposed to NIPS, an NBA solution will look for anomalous behavior within patterns of a network itself, making it key for detecting incidents such as DDoS attacks, behaviors against the policy, and other types of malware. IDS vs. IPS: Similarities and differencesAn IDS and an IPS are quite similar, particularly because of their similar detection process. However, their differences will dictate whether an organization opts for one over the other. IDS and IPS similaritiesAcross the two solutions, you can expect a similar level of:
IDS and IPS differencesDepending on how resourced your security team is, the differences between the systems can be very important:
Why both IDS and IPS solutions are critical for cybersecurityOrganizations shouldn’t necessarily consider choosing one solution over another; both are extremely helpful and many vendors offer an intrusion detection and prevention system, or IDPS, as a solution that provides the benefits of both systems. Detection and response capabilities have proven to be crucial for organizations to not only know when an attack has reached their perimeter but also to act accordingly. By employing effective detection and response solutions, companies are catching bad actors and reducing dwell time, minimizing the impact these actors can have. Security leaders should have an understanding of their organization’s needs as well as a list of what data requires monitoring before choosing the right IDS and/or IPS solution. They should also take stock of their own security department to determine whether they want an automated solution, they have an agency to react accordingly, or they’d prefer to have a hybrid approach. We recommend leveraging both systems or a combination IDPS for effective protection. As organizations grow and scale, additional IDS/IPS solutions may be brought on to account for additional servers, networks, or devices. For a deeper look at network security and how you can enhance it, Varonis Edge has solutions to explore. Les Cottrell, SLAC. Last Update: 10/13/2022.
Where possible I have provided hypertext links to further sources of information on the tool. These links vary in quality ranging from a pointer to the vendors home page, to the man pages entry, and to how to download the code. We welcome corrections such as identifying broken links (especially if you can provide an alternate/update), since over the years companies are absorbed by others, disappear, split up, change their web site etc. To find broken links, we use CheckLink suggested by Brad Canham, and even better the Chrome browser extension for checking links, suggested by Brian Albert Jensen. Others we have found useful include Link Quality at a Glance suggested by William Chapman. Another possibility is Xenu's Link Sleuth also suggested by William Chapman. Some links such as BasicState and Lemon give a 404 error code or a 405 code but appear to be accessible and so currently are left in. Others such as NetLogger sometimes timeout, but usually work. See the Footnotes for some alerts (identified by superscripts). Suggesting Additions/Corrections etc. This is a volunteer, unfunded effort. This helps assure its independence. Increasingly new additions are from reader suggestions/recommendations. If you have a suggestion for adding something: please send an email to Cottrell at slac.stanford.edu making sure that you indicate where the tool fits in the hierarchy, provide a URL to get more information on the tool, and provide a short one sentence description of the tool's purpose with no marketing hyperbole. Also if you notice out of date or incorrect links (e.g. links that go to sites that are not relevant to the link) please report. Thanks.
Commercial Monitoring Tools, not integrated with an NMP [Contents]Analyzer/Sniffer | Application/Services/Systems monitoring (Hosted/managed monitoring services) | BGP | Emulators | Flow Monitoring | FTP | IP Address/Asset Management | IT Search | Network Security tools | SNMP Tools | Topology/Mapping/Traceroute | VOIP | Video-over-IP
Public Domain or Free Network Monitoring Tools [Contents]Application Monitoring | BGP | Finger Printing | Flow Monitoring | FTP | Host based network monitoring tools | IP Address management (IPAM) | Mapping | Monitoring Infrastructures | Network Security | Packet Capture/Analysis Tools | Path Characterization | Ping | RRDtool | SNMP | Throughput tools | Traceroute
Wireless tools [Contents]
Web Tools [Contents]
Auxiliary Tools to Enable: Monitoring, Analysis, Report Creation or Simulation [Contents]
Further Information [Contents]
^ Disclaimer: Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by SLAC, Stanford University or the United States Government. The views and opinions of authors expressed herein do not necessarily state or reflect those of SLAC, Stanford University or the United States Government, and shall not be used for advertising or product endorsement purposes
Footnotes
[ Contents | SLAC | Stanford University ] |