Network or host-based intrusion detection systems (IDS) and network or host-based intrusion prevention systems (IPS), along with firewalls, represent some of the tools available to defend networks and keep them secure. As you progress through the various labs and readings in this course, keep these fundamental security concepts in mind.
Complete the following for both IDS and IPS:
Examine two advantages and two disadvantages of each system. Explain where you recommend using each system, or both systems, and why. Provide a specific example of each system that meets the budget and defensive needs of a home or small office. Include the strengths and weaknesses. Provide a specific example of each system that meets the budget and defensive needs of a large corporate office. Include the strengths and weaknesses.
Recommended Usage
I recommend using the IDS primarily for compliance, deep visibility, and post-incident forensic analysis. It is best placed out-of-band (not directly in the traffic path) to monitor traffic passively, specifically behind the firewall to look for activity the firewall missed.
Intrusion Prevention System (IPS)
An IPS is an active security control that monitors network traffic or host activity, detects malicious patterns, and takes immediate action to prevent the traffic from reaching its destination.
Advantages and Disadvantages
Feature
Advantage
Disadvantage
Defense
Proactive Defense (Blocking): Automatically blocks threats in real-time based on defined rules and signatures, stopping attacks before they can cause damage.
Single Point of Failure/Latency: Because the IPS must be deployed inline (in the traffic path), a failure in the IPS can bring down the entire network segment. It can also introduce latency.
Efficacy
Reduces Workload: By automatically dropping known bad traffic, it significantly reduces the workload on security analysts and minimizes alert fatigue.
Risk of False Positives: A false positive (blocking legitimate traffic) can lead to a denial of service for users, disrupting critical business operations.
Recommended Usage
I recommend using the IPS for frontline, real-time protection against immediate threats. It should be placed inline (between the firewall and the internal network) to enforce policy and immediately drop malicious packets (e.g., known exploits, malware command and control traffic).
Recommendation for Both: Organizations should use both systems for a layered defense. Use the IPS inline for automated defense against known threats and the IDS out-of-band for deeper visibility, logging, and detecting subtle, zero-day attacks that require human analysis.
Sample Answer
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are crucial components of network defense, working alongside firewalls to maintain security. Below is an examination of each system, including their pros, cons, usage recommendations, and specific examples for different organizational sizes.
Intrusion Detection System (IDS)
An IDS is a passive monitoring tool that detects suspicious activity and issues alerts but does not stop the traffic.