Ids vs ips which is better
Download
1 / 20

IDS vs. IPS: Which is better? - PowerPoint PPT Presentation


  • 344 Views
  • Updated On :

IDS vs. IPS: Which is better? . www.SearchSecurity.com TechTarget.com Edward P Yakabovicz, CISSP. IDS and IPS. IDS Passive ~ Out of band These devices can monitor and analyze events that occur on a network or system, thus looking for intrusion attempts based on signatures or patterns.

Related searches for IDS vs. IPS: Which is better?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'IDS vs. IPS: Which is better?' - libitha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Ids vs ips which is better l.jpg

IDS vs. IPS: Which is better?

www.SearchSecurity.com

TechTarget.com

Edward P Yakabovicz, CISSP


Ids and ips l.jpg
IDS and IPS

  • IDS

    • Passive ~ Out of band

    • These devices can monitor and analyze events that occur on a network or system, thus looking for intrusion attempts based on signatures or patterns.

    • IDS requires careful tuning to network conditions to be effective, otherwise false positives are too high to make the system useful.


Ids and ips cont l.jpg
IDS and IPS (cont.)

  • IPS

    • IPS can provide more accurate alerts.

    • IPS uses multi-method detection.

    • False Positive ~ may unnecessarily suspend a connection and therefore block legal traffic immediately.

    • Gartner: “This real-time response which registers attacks as legitimate events, even if those attacks have no bearing on the network, could be too disruptive to operations.” (Ratzlaff)


Ids and ips cont4 l.jpg
IDS and IPS (cont)

  • IPS can identify that an intrusion has taken place and is able to provide the intruder's IP address. Network administrators still have to investigate the attack, determine how it occurred and correct the problem.

  • One of the reasons against aggregating all the network security in one box is that it contradicts the "defense-in-depth" or “security-in-layers” concept, thus failure in one area could mean a failure of the entire internal network.

  • IPS Fine Tuning and Network Tuning is more complex than IDS.

  • Point: The cost of shutting down a connection due to false positives would cause more problems than it solves. IDS is the better bet.


Infoworld l.jpg
InfoWorld

  • “In simple terms, IDS may be perfectly suited for network attack monitoring and for alerting administrators of emerging threats. But its speed, performance and passive limitations have opened the door for IPS to challenge it as the proactive defense weapon of choice.”

  • http://www.infoworld.com/article/03/04/04/14ips-sb_1.html, April 04, 2003


Gartner forecast on ids l.jpg
Gartner forecast on IDS

  • Gartner, Inc. released a document authored by Richard Stiennon entitled, "Intrusion Detection Is Dead - Long Live Intrusion Prevention.“

  • I believe this to be wrong for the following reasons:


Reasons ids still works l.jpg
Reasons IDS still works

  • Product or technology life cycle methodology as been proven for years (beginning, middle, end, start over) for IPS has just begun.

  • COST $$$$$$ Maybe the larger corporations have the money to throw away $100,000 or more in current IDS technology, but who else can ?

  • IDS still provides a service.

  • IDS can be fine turned to work and product proper reporting.

  • This statement appears to show that now even Gartner has succumbed to marketing hype

  • (IDS v. IPS Commentary, By Gary Golomb, Posted By: Eric Lubow, 6/16/2003 9:01 )


Difference between ids and other devices l.jpg
Difference between IDS and other devices

  • The main difference between an IDS and other security devices is the fact that it's out-of-band, or passive, in nature. It passively watches all traffic looking for SIGNS of attacks, compromise or other misuse. The key benefit to being out-of-band is that you have the ability to flag traffic that looks even the slightest bit "suspicious,” while NOT being detected!


What about virus protection l.jpg
What about virus protection?

  • IPS would have to be fine tuned to block virus or malicious code attacks. Thinking down this path may lead to similar -- if not more -- false positives. IPS will shut down connections, while IDS will detect and report.


Looking for the holy grail of security l.jpg
Looking for the Holy Grail of security

  • “Security professionals are constantly looking for the "holy grail" of security products. They have bought firewalls, vulnerability assessment tools and intrusion-detection systems (IDS), hoping to find the ultimate security tool. The truth is much more difficult - security is an ongoing process that involves multiple layers of protection.”

  • http://www.lucidsecurity.com/whitepapers.php


What about code red and ids l.jpg
What about Code Red and IDS?

  • “A good intrusion-detection system (IDS) could have mitigated the attack on Client Company, but probably would not have stopped it. This type of system would have alerted system engineers at the outset of the attack, and they could have then taken proactive and reactive steps to stop the infection; however, with the speed at which Code Red spread it is hard to imagine effectively combating this worm through a hurried, manual patching process.”

  • http://www.lucidsecurity.com/whitepapers.php


What about code red and ips l.jpg
What about Code Red and IPS

  • “Intrusion-prevention systems (IPS) that can intelligently block incoming exploits could have drastically altered the effect of Code Red at Client Company. Depending on the speed of the IPS, it could have been possible to stop the infection entirely. When used in combination with strictly controlled firewalls, standardized network policies and a good notification system, intrusion prevention engines significantly narrow the window of opportunity for crackers.”

  • http://www.lucidsecurity.com/whitepapers.php


Market growth l.jpg
Market Growth

  • Infonetics Research has predicted that the IDS market will grow 43% to $149m by this time next year.

  • The market watcher believes that annual IDS revenue will hit $1.1bn by 2006, a compound annual growth rate of almost one third.

  • Infonetics reported that the IDS/IPS market is currently experiencing disruptive technology shifts. Although growth will continue during 2003, the market will only really take off in 2004.

  • http://uk.news.yahoo.com/030905/175/e7mg3.html


Industry statements l.jpg
Industry Statements

  • “This whole argument (that Gartner started with an incomplete and not real world report) is like saying that human guards will be replaced by cameras, because it is cheaper to run a camera. Course someone has to look at the output from a camera, but who's counting. Camera's are good and guards are good, but together they make for tighter security.” Steven T. Carey

  • http://archives.neohapsis.com/archives/sf/ids/2003-q2/0293.html


Industry statements ii l.jpg
Industry Statements II

  • “If we are not careful installing and configuring IPS, we will just give attackers more tools to allow them to DoS us. Trust is quite difficult with current network infrastructure and protocols where everything can be forged... (we still use IPv4 most of the time to communicate, there are no reliable audit traces to feed even the perfect IPS).” Omar Herrera

  • http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ids/2003-06/0167.html


Industry statements iii l.jpg
Industry Statements III

  • “That is what upsets me the most about incidents like this. Because of the long history Gartner has with industry reporting, their documents carry a lot of weight for many organizations. Although, this recent track record of negligence is disturbing to say the least.”

  • Gary GolombSenior Research EngineerDragon Intrusion Detection GroupEnterasys Networks


Conclusion l.jpg
Conclusion

  • IPS may be superior, but again, the lifecycle of technology in general must be considered for it is critical.

  • Factors: cost, setup, tuning (more than IDS), and version 1 or 1st generation.

  • Industry agrees: Could have stopped Code Red and others, but will take time to implement and fully understand.


Questions l.jpg

Questions?

Submit your questions to Ed by clicking on the Ask a Question link on the lower left corner of the screen.


References l.jpg
References

  • http://www.linuxsecurity.com/articles/forums_article-7476.html

  • http://www.nwc.com/1411/1411colshipley.html

  • http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci905961,00.html

  • http://www.ncs.com.sg/media/clippings_2003/apr_03/apr03_acw_ids.asp

  • http://www.derkeiler.com/Mailing-Lists/securityfocus/focus-ids/2003-06/0167.html

  • http://archives.neohapsis.com/archives/sf/ids/2003-q2/0293.html

  • http://www.lucidsecurity.com/whitepapers.php

  • http://www.infoworld.com/article/03/04/04/14ips-sb_1.html, April 04, 2003


Thank you l.jpg
Thank you

Thank you for participating in this SearchSecurity.com on-demand webcast. If you have comments or suggestions for future webcasts, e-mail the editor at [email protected]


ad