Given the importance of network security and the fact that threats to your network are no longer coming only from outside (i.e. through your firewall), it is important to be monitoring your network for unusual traffic internally by means of intrusion detection and prevention systems. The two can be seen to work hand in hand with one another, with prevention being a more mature approach than simply detection. While both analyse network traffic against a database of known threats, one is a monitoring tool while the other is a control tool.
Intrusion Detection Systems (IDS)
As the name implies, an IDS detects intrusion in your network. It is a monitoring tool that analyses traffic and reports to a human operator (or monitoring system) that there is unusual traffic on the network. It is then up to a human to implement some form of action based on the detection. This process is much more reactive than proactive, but can be quite a cost saver. The IDS would be within the main network, but not necessarily directly behind or in front of the firewall. It only requires a “copy” of the network traffic that is flowing through the network in order to detect anomalies.
Intrusion Prevention System (IPS)
The next level in maturity from an IDS, is the IPS. This system detects unusual traffic, but then also takes action to block that traffic. If a particular rule is broken, the IDS can block the traffic from travelling any further while simultaneously notifying a human operator or monitoring system that something is amiss. A true IPS system is often a hardware device located directly behind your firewall (or as part of it), as it requires the original network traffic as it flows in and out of your network in order to operate.
As a cost saver, some organisations have a form of “hybrid” solution, where an IDS communicates directly with your firewall to block from there. This, however, could be seen to not be as accurate, reliable, or fast to respond to a threat as the IDS is operating on a copy of the network traffic instead of the live traffic at the time.
Which Should I Use?
Ideally you would use a full IPS in your network. IDS, while valuable, is reactive and should only really be used for testing your rulesets for IPS. If you consider the manual intervention required, should a threat occur in the early hours of the morning it may take hours to respond to the threat, compromising your network.
Software based IPS’s such as SNORT can be installed within your environment for very low cost, however they need an experienced implementer to configure them. Alternatively, hardware devices such as those offered by Fortigate and SOPHOS are easier to implement but come at a cost.
Ultimately, it comes down to your risk appetite and budget. In this day and age, hacks are a very real threat and detecting their presence early could be the difference between a minor fine or closing your doors, given the current landscape of privacy legislation. At the very least, you should be operating an IDS within your environment.
Should you wish to implement an IDS or IPS, why not reach out to us for a coffee? Ross G Saunders Consulting partners with numerous providers to offer you an expert installation and maintenance of an IDS/IPS system for your network.