The IDS/IPS Dynamic: Just Watch or Take Action Against Intruders?

Carl Weinschenk

Intrusion prevention systems (IPSs), as the name indicates, work to identify and combat security threats and vulnerabilities. This week, Cisco introduced its highest performing IPS -- the IPS 4270 -- which InformationWeek says handles Web-based data and video at 4 Gigabits per second (Gbps). It traffics other classes of content, such as e-commerce and VoIP, at speeds as fast as 2 Gbps. The device can accommodate as many as 20,000 transactions per second.

There is a transition under way to IPSs from intrusion detection systems (IDSs), which sound alerts but take no action. This Security Focus blog looks at some of the issues in the combined field, which is called intrusion detection and prevention (IDP) .

IDSs are said by some to be an unsound investment because a skilled hacker can bypass them. IPSs, some experts say, also are vulnerable. This may be a bit of a tautology, however: The writer adds, quite wisely, that any security technology can be beaten if the attacker is skilled enough. The response, he suggests, isn't to rely on one technology -- IDS, IPS or any other -- but to employ a "defense in depth" strategy and to train staff on the particularities of the organization's traffic patterns so that he or she is more likely to spot a problem lurking in the reams of information that security tools produce.

This good overview of the tension between IDS and IPS at Networking Solution says that IPS is passing IDS. The big vendors are reluctant to provide numbers, however, because the boundary is fuzzy: Often, an IPS includes IDS functionality enabling users to switch to a more passive approach in which traffic is watched but not interfered with. The piece says challenges for both IDS and IPS are false positives and false negatives: traffic that is not malicious but is treated that way and traffic that shouldn't be allowed through but is. Together, the IDS and IPS markets are worth $730 million, according to IDC. Organizations must do a lot of work when deciding whether to use an IDS/IPS. One key factor, says Brad Fenster at Styzer's Risk Management Blog, is whether the network being protected accepts traffic from untrusted sources -- which is more or less synonymous with the Internet. The posting is written in a somewhat obtuse manner, and seems to conflate the two types of gear. The bottom line is clear, and very important: IT and security forces must carefully consider the environment into which the IDS or IPS will be used in order to choose the best -- and most cost-effective -- approach.

The brief introduction to this Network World IPS buyers guide looks at a great many products. There are products from 10 vendors: Cisco; Fortinet, Juniper, Top Layer Networks, Reflex Security, SourceFire, Stonesoft, StillSecure and Tipping Point. In all, 23 products are described, and links are provided to more information on each.

Add Comment      Leave a comment on this blog post
Dec 6, 2007 3:29 AM Mike Milholland Mike Milholland  says:
Carl, IPS and IDS for the most part the same thing. Almost all of todays products are both. Just depends how you deploy them. Only the very brave, or very smart, actually deploy true Inline IPS solutions due to false positives. So for the most part most mission critical networks ( and arent they all?) use only the IDS type solution. Reply
Dec 6, 2007 4:11 AM Adam Stein Adam Stein  says:
Hello Carl:Thanks for pointing out a number of the IDS/IPS baselines and studies. On the recent Network World buyers guide, the reviewers at Opus One covered a bit of new ground as well by tracking actual IPS catch rate metrics. Specifics online at Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.