IDS or IPS?
Couple of days ago, during a lesson (There is a course in Israel called CISO and I am one of the Instructors) I talked about IDS and IPS systems.
For those of you who are not familiar with the systems:
IDS stands for Intrusion detection System and IPS stands for Intrusion Prevention System.
As you can understand from the name of the devices, they are very close one to each other.
In many cases when I does my consulting work I see an IPS device in an organizations and when I ask why did they choose and IPS system over IDS system there is no answer.
When you try to look closely you can see that the main instruction was to alert when there is an intrusion. There is no need to take action, just to alert so why would you choose an IPS over IDS? when you try to look even closer you can see that this was the recommendation from the previous consultant and no one said otherwise.
Is this a problem? Maybe. I’ll explain..
IPS is a Device that need to interfere with the network traffic. The ability to interfere will allow the attacker to identify that there is an IPS on the network because the attacker can identify the fact that some packets will not do what they was supposed to.
I think that the main problem with IDS is that you know that it is there.
If you do not need an active defense, you should consider an IDS.
It is not present on the network from the attacker point of view.
The monitor port where you can place IDS probe is completly silent and will not allow interference with the traffic.
From the attacker view there is nothing to worry about and from your place you can view all the alerts in your SIEM and instruct the SOC to react.
Another idea is that if the attacker knows about the IPS he can identify it and maybe will have a way to hurt the device itself. a 0-day for IPS.
So why use IPS? because there are places that need to respond when they are under attack. Some people will say it is most of the places.
All I am saying is don’t go to IPS because someone said it is better. You need to consider if you need the functionality of an active system by responding to an attack. If that is the case, IPS will be a good decision but otherwise? You need to think.
btw: I consider IPS that is not in the prevention mode as IDS for this article.
My name is Guy Mizrahi and I am a Security Specialist from Israel.
Go to the About page to read more about me.
August 1st, 2010 at 7:25 pm
Great post guy,
I think some organization prefer the active protect (IPS)
because maybe they don’t have such knowledge or man power to inspect
IDS logs and alerts, and to figure out whats going on.
and they feel more secure when there is automatic mechanism
that do the “work”.
i’m not a professional but it sounds reasonable to me when you hear that network administrators/security person doesn’t read logs much, so maybe IPS is still better, and mostly the organization that doesn’t have the person that will check or will operate the device.
Anyway, we all know that you love SNORT, and you like the inspection thing then the prevention thing hehe.
between have ++ for your linkedin title ;]