IDS/IPS: What They Are and Why You Need Them
Wireless providers are rolling out 5G to power an IoT (Internet of Things) world. The Ericsson Mobility Report, released in November 2021, estimates that by 2027 half of all global mobile subscriptions will be 5G. While faster than ever connectivity and lower latency are welcome, 5G comes with new threats and cybersecurity risks businesses need to know about.
Fortunately, Intrusion Detection Systems and Intrusion Prevention Systems — or IDS/IPS — are invaluable, readily available network security tools for mitigating malicious traffic and suspicious activity. And the benefits of IDS/IPS aren’t limited to vulnerabilities associated with 5G. Read on for a look at how your business can make an Intrusion Detection System and Intrusion Prevention System part of your security management.
While faster than ever connectivity and lower latency are welcome, 5G comes with new threats and cybersecurity risks businesses need to know about.
What is IDS/IPS? (And What’s the Difference Between the Two?)
First things first: IDS and IPS are actually two different things. Intrusion Detection Systems analyze network traffic to identify signatures matching known cyberattacks. Intrusion Prevention Systems analyze packets, too, but they go a step further by stopping packet delivery based on attack type.
The result? Attack thwarted!
How Do Intrusion Detection Systems and Intrusion Prevention Systems Work?
Intrusion Detection Systems can be hosted at the network level or host level and detect anomalies that identify bad actors before a network is damaged. They do this by trying to match known attack signatures to the traffic being monitored and trying to identify deviations to normal activity. This process allows the IDS to proactively detect DoS attacks and other threats.
Host-based intrusion detection systems are installed on a client computer, while a network-based IDS operates on the network. A network IDS can be deployed as a software application to run on hardware — either a server or a network security appliance — but cloud-based IDS is increasingly popular for its ease-of-use.
IPS solutions, like IDS systems, monitor network traffic for policy violations, malicious activity, and other threats.
The addition of Security Information And Event Management (SIEM) software to an IDS enables network administrators — often part of a company’s Security Operations Center (SOC) — to identify attacks before or as they occur, allowing for faster response times.
And how does an IPS work? IPS solutions, like IDS systems, monitor network traffic for policy violations, malicious activity, and other threats. An IPS has additional threat management value because it also responds to, and stops, threats in real time. Like IDS, IPS can be network-based or host-based. IPS, unlike IDS, can be configured with policy-based rules and “if-then” actions to take when an anomaly is detected.
Are There Different Types of IDS and IPS?
Intrusion detection systems are distinguished by the detection methods they employ to identify security threats. The most common IDS types are:
- Network Intrusion Detection System (NIDS): As the name suggests, an NIDS is deployed on a network to monitor inbound and outbound traffic from all endpoints, then alert security personnel when an attack is identified.
- Host Intrusion Detection System (HIDS): An HIDS is installed on all devices with access to the internet and a company’s network.
- Signature-based Intrusion Detection System (SIDS): This type of IDS analyzes all network packets and compares them against an extensive database of known attack signatures or malicious threat features.
- Anomaly-based Intrusion Detection System (AIDS): Similar to SIDS, but also an improvement on SIDS, an AIDS tracks network traffic and compares it to a baseline. The baseline, often established via machine learning, allows the IDS to identify traffic as normal or abnormal in terms of bandwidth, protocols, ports, and other devices across the entire network. Suspicious activity, or activity that violates security policies, is sent to network security teams for further action.
An IDS passively monitors a network for threats, and an IPS actively stops threats.
There are a few types of intrusion prevention systems, too, the most popular being:
- Network-based Intrusion Prevention Systems (NIPS): Functionality similar to a stateful firewall that analyzes incoming traffic looking for potential risks and automatically drops packets when an attack is discovered.
- Wireless Intrusion Prevention Systems (WIPS): Analyze wireless networking protocols to detect potential malicious activity on a wireless network.
- Network Behavior Analysis (NBA): Guard against threats using unusual traffic flows (e.g., DDoS, malware, policy violations).
- Host-based Intrusion Prevention System (HIPS): An inline software package, operating on a single host, that scans the host for threats.
Do You Need Both IDS and IPS?
The natural follow up question many people have is: Do you need both intrusion detection and prevention systems?
An IDS passively monitors a network for threats, and an IPS actively stops threats. Ideally you want to stop threats; not just identify them. Then why would anyone choose to use an IDS without an IPS? According to OWASP, the primary reason some organizations opt for IDS rather than IPS is that, “... in the event of a false positive (normal activity mistakenly identified as an attack), an IPS will actively stop the normal activity which is likely to negatively impact business functions.” Obviously false positives can be inconvenient, but as OWASP points out, “... with the right amount of overhead, false positives can be successfully adjudicated; false negatives cannot.”
And what's a false negative? OWASP defines a false negative state as, “... the most serious and dangerous state. This is when the IDS identifies an activity as acceptable when the activity is actually an attack.”
"...with the right amount of overhead, false positives can be successfully adjudicated; false negatives cannot."
- The Open Web Application Security Project (OWASP)
What’s the Difference Between IPS and Next-Gen Firewall?
This is a common question as well. The answer is that the third generation of firewall technology, commonly known as next-generation firewall (NGFW), combines a traditional firewall with other network traffic filtering functions. One of those functions? An intrusion prevention system.
CloudConnexa Cyber Shield Has Built-in IDS/IPS
Are you already using OpenVPN Cloud? If so, you have IDS/IPS at your fingertips (literally). CloudConnexa includes Cyber Shield Traffic Filtering.
Not using CloudConnexa yet? Get your three free connections here.
We looked at the different types of IDS/IPS above — so what kind is Cyber Shield? Well, it operates on a network, so it is a NIDS. And, because it uses signature and anomaly detection, it’s SIDS and AIDS, too.
Included with CloudConnexa at no extra cost, Cyber Shield Traffic Filtering is an easy-to-use, customizable IDS/IPS feature that protects remote access with:
- Traffic Filtering feature acts as an IDS and IPS.
- IPS based on threat category or severity of threat.
Cyber Shield fortifies protection by letting network admins decide which threats to block. And because cyberthreats are continually evolving, it includes easily accessible reporting with insights that make it simple to fine-tune security measures to mitigate threats.
Built-in IDS/IPS for Effective, Efficient Intrusion Detection and Prevention: Traffic Filtering automation for reliable protection against malware and ransomware, denial of service, phishing, known threats, and vulnerabilities/exploits that may be overlooked by other security layers or solutions, and before it reaches other security controls.
Multi-pronged Threat Detection and Blocking: The Traffic Blocking feature detects and blocks network threats by category or Threat Level (Levels 1 thru 3).
Ready to take advantage of the Cyber Shield IDS/IPS feature? Step-by-step instructions are available here.
