Companies have various means of monitoring inbound and outbound network traffic with the goal of detecting whether any anomalous traffic might be malicious in nature. But no detection solution is 100 percent effective, which means that some attacks will succeed. With that in mind, a company needs to be able to identify and remediate the attacks expeditiously, as well as determine the entire life cycle of the attack to prevent a future breach. One means of doing that is to install an appliance on the network that gives the company a broader picture of all the traffic that’s traversed its network.
Traditional options. Companies already use intrusion detection system (IDS) and intrusion prevention system (IPS) appliances. IDS is a passive type of monitoring that detects anomalies in traffic and alerts system administrators when they are found, says John Pirc, vice president of research at NSS Labs. However, IDSs won’t tell you whether the attack was successful.
IDS appliances, which were first developed about 14 years ago, weren’t originally designed to sit in line with a network’s activity. That’s why they were considered passive. IDS monitors activity by sitting out-of-band, explains Pirc, and traffic gets mirrored on a delayed basis. “Say there’s ports one, two, three, and four [on the appliance], and the traffic is coming in port one. What you can do is you can mirror port one, and let’s say that your IDS was in port four—you just mirror it. Essentially, [traffic is] just getting mirrored, and it’s getting analyzed on the IDS, and then it will tell you if it hit the positive on [a malicious] signature that fires off.”
But IPS, an active type of monitoring that was developed just about a year after IDS, sits in line and is designed to actually stop the intrusion.
IPS has not replaced IDS. Pirc says there are a few reasons why companies would want to deploy an IDS over IPS. First of all, there are performance issues that come along with deploying IPS. “A lot of it comes down to performance, when you’re putting IPS in line, there could be bottlenecks [in traffic],” he notes.
Furthermore, a company that depends on keeping its online services running as efficiently as possible—such as a retail or commerce site—may prefer an IDS solution. It depends on the industry vertical and the risk threshold. Some companies would rather just have a way of being alerted to the possibility that they’re under attack, but not have a system for automatically stopping it, “because there could be a false positive in the traffic that they’re seeing,” Pirc says. A false positive is an alert in which the anomaly is not malicious in nature.