A typical IDS system will detect a threat, generate an alert and stop there. This leaves IT and security departments to respond manually to prevent attackers from embedding themselves further into the network. An IPS solution works with an IDS to identify and block attacks as they happen. It also proactively works to prevent breaches by monitoring for policy violations and malware.
Detection
As threat vectors increase and become more sophisticated, the need for automated tools to detect and mitigate attacks grows. IDS and IPS systems are designed to do just that. They can identify and report unauthorized activity that would otherwise go unnoticed by the network, such as phishing attacks, ransomware, malware infection, and distribution, denial of service (DoS), man-in-the-middle attacks, zero-day threats, and SQL injection. An IDS is typically deployed out of the line of network traffic flow and monitors traffic via SPAN or TAP ports to raise alerts. Unlike an IPS, which analyzes every data packet in real time, IDS merely detects potential incidents by comparing traffic patterns to known signatures. The resulting signals can help to shape an organization’s security strategy and mitigate against emerging threats. Many experts, including professionals at Versa Networks, recommend a combination of both IDS and IPS. A Secure SD-WAN solution integrates IDS and IPS in a single hardware-agnostic platform that reduces the number of devices you need to manage and maintain while ensuring maximum inspection performance.
Response
An IDS will detect a potential threat, generate an alert and stop the attack by dropping malicious data packets. An IPS goes one step further, preventing the attack by blocking traffic from the attacker. The IPS can also apply firewall rules to block connections and avoid transmitting sensitive information. A signature-based IDS analyzes packets in the network for suspicious patterns and compares them against a database of known attacks to identify threats. This is the simplest IDS method but can raise false positives. Anomaly-based IDS monitors network traffic and establishes a baseline to determine what is typical for the business. This method identifies deviations from the norm, such as using a tremendous amount of bandwidth or protocols not commonly used in the environment. A network-based IDS uses machine learning to monitor a completely protected network for threats. This method can reduce the number of false positives and improve performance. IPS systems are typically placed in line and can prevent or block an intrusion from occurring by blocking a connection, resetting the relationship, or dropping detected malicious packets. They can also apply firewall rules to block traffic from the attacker. Cisco SD-WAN solutions integrate IDS/IPS into the fabric of the solution to simplify your architecture and reduce the number of devices on your network.
Prevention
IDS and IPS inspect traffic in real-time to detect attacks by comparing the application behavior against a database of threat signatures. For example, Aruba IDPS uses the Snort engine (which runs as a container) combined with Cisco Talos intelligence to deliver up-to-date signature packages to devices through an onboard update server. The policies allow for Syslog events, dashboard alerts, and network security blocking of the threatening traffic flow. Known threats are detected by matching against signature patterns in a frequently updated database. Unknown threats can be more challenging to detect as they often use evasive variations of previously seen negative patterns. Regardless of the detection method, both systems are designed to generate an alert upon discovering suspicious activity and minimize false alarms through learning and behavioral analysis. Anomaly-based detection monitors network traffic by establishing a baseline of what is considered normal for the environment and what protocols are generally used. This approach may, however, raise a false alarm with legitimate bandwidth usage if the baselines need to be intelligently configured. A more practical option is stateful protocol analysis detection, which recognizes deviations from established protocols and identifies if an attack has taken place. IDS and IPS can take action when a threat is detected, although only an IPS can prevent an attack by blocking the traffic.
Customization
Security solutions need to be flexible to meet a variety of network needs. This includes recognizing traffic patterns unique to specific business units, applications, and devices. They also need to be able to identify threats and alert to them quickly. This allows companies to catch bad actors while minimizing their dwell time within the corporate perimeter. IPS is a network component that analyzes each packet to detect possible threats and take action to stop them. Its detection function typically operates by analyzing the traffic flow via span or tap technology and raising notifications for the administrator to act upon. The main types of IPS solutions are signature-based and anomaly-based. Signature-based systems look for known threat patterns like file hashes, domains associated with known phishing attacks, and suspicious byte sequences to identify potential incidents and notify the administrator. Anomaly-based IPS is a more advanced solution that monitors standard traffic patterns to spot anomalies and deviations. This is much more effective at spotting new attacks that may have yet to be tagged in the existing signature databases. Adding IDS and IPS capabilities to an SD-WAN platform gives the enterprise a full suite of defenses. Versa’s ground-up integration of IDS/IPS into the WAN routing stack simplifies networking architecture, reduces device count, and limits attack surface while allowing the network to scale and support multiple access methods and traffic types.
