Intrusion detection and prevention systems observe all activity within a network, keep records of that activity, and look for intrusions and attacks. Intrusion detection and prevention solutions can be implemented separately or together, though having both of them is often more beneficial because both detection and response are important for network security. Over time, intrusion detection systems (IDS) and intrusion prevention systems (IPS) have merged to become intrusion detection and prevention systems (IDPS).
Intrusion detection systems monitor network traffic and record all activity in system logs, which can be studied for patterns. An intrusion detection system is known for its ability to study network activity and then detect unusual behavior. It observes the network for different traffic patterns, including those characteristic of worms or viruses, and alerts IT teams or administrators to suspicious activity or attacks. IDS can be programmed to expect certain normal network behavior and what typically occurs within segments of the network; its anomaly detection feature flags uncharacteristic actions that don’t line up with the programming.
IDS sees what an intrusion looks like and uses previous records, called intrusion signatures, to see if a new pattern might also be an intrusion. IDS accesses this data through log files that the network keeps. But this is an intrusion detection system’s weakness, too it is limited to observing intrusions that have already happened.
Intrusion prevention systems analyze network traffic, filter requests, and allow or block requests accordingly. IPS is more proactive than IDS because it can respond to behavior. It can be overwhelming for IT teams, though, because any strange activity, even innocuous, will overload technology staff with alerts. If an IPS isn’t intelligent and can’t interpret network activity well, it will be almost impossible for humans to sort through the barrage of system alerts.
Intrusion prevention systems can be prone to false positives and negatives: a false positive blocks a legitimate packet that just seems suspicious, and a false negative misses malicious traffic. Machine learning implemented in intrusion prevention can help the system become more accurate if the technology learns network patterns better and detect true problems more accurately. More advanced automation can decrease the number of false positives and negatives. Security teams usually need to refine rules to avoid triggering false or insignificant alerts.
Intrusion prevention services can be either network-based or host-based. Network-based IPS sit near the firewall and monitor network traffic. Host-based IPS are closer to a computer or other endpoint (near the host).
Using both intrusion detection and prevention systems (IDPS)
As previously mentioned, intrusion detection and prevention are often lumped together automatically, though they can be implemented as separate solutions. They’re more effective together, however. Detecting possible abnormal activity within an application’s log file does little good if the system cannot take actions to track and quell an intruder. And without software to monitor all the network traffic, prevention systems won’t be able to locate malicious activity as effectively. Though IDPS is not the perfect solution to all network security, it’s best to deploy both detection and prevention if you are planning to use one of them.