Packet Inspection Icon

What is an Intrusion Detection System (IDS)?

An intrusion detection system (IDS) is an application or appliance used to monitor traffic across a network and/or technology systems. IDS allows IT professionals to identify suspect activities and documented threats. The IDS analyzes traffic and looks for patterns in the network traffic that is indicative of a cyberattack, such phishing attacks that include a link that will automatically download malicious malware. Once a network intrusion is detected, the system issues an alert containing vital information, such as the source address of the incursion, as well as the target address and the type of attack.

IDS solutions come in one of several forms, including host-based and network-based systems, depending on where the sensors are placed. These systems can be segmented further as perimeter IDS, VM-based IDS, stack-based IDS, signature-based IDS and anomaly-based IDS.  

What is an Intrusion Prevention System (IPS)?

An Intrusion Prevention System (IPS) is network security and threat prevention technology that analyzes network traffic to uncover and prevent attacks. IPS seeks to prevent bad actors from gaining control of vital applications or systems, causing distributed denial of service (DDoS) attacks, or obtaining access to the rights and permissions of applications.

An IPS is generally placed behind the firewall. Instead of being a passive monitoring system, such as IDS, IPS sits directly in the middle of the communication path between source and destination and actively prevents attacks by dropping suspect packets, blocking traffic from malicious sources, and reestablishing connections automatically.

IPS uses either signature-based detection or statistical anomaly-based detection to respond accurately to attacks. Signature-based detection is based on established threat signatures found in the code. Statistical anomaly detection collects samples of network traffic randomly, then makes comparisons to pre-established baseline performance levels. Anything that is outside the baseline parameters of normal network traffic activity causes the IPS to take corrective action.

Do I need both IDS and IPS?

The primary difference between IDS and IPS is that IDS simply monitors traffic, while IPS provides control and protection. Both are required to adequately protect against attacks. Hybrid solutions that offer characteristics of both IDS and IPS provide such combined protection.

If budgets are constrained, and an organization can only choose one solution, IDS should be the preference.  IDS provides much needed visibility into threats, but this solution alone requires regular and active response to any detected issues. This takes time and man-power. Conversely, the automated response of an IPS solution makes it more effective in protecting systems. But here too, the solution is only effective if it is tuned to meet network and application usage. Failure to adequately tune the solution will result in a high rate of false positives that can interrupt legitimate traffic. IPS solutions are also effective at detecting problems caused by human error, which tend to be more common than targeted attacks.  

Is an Intrusion Prevention System (IPS) the same as a Web Application Firewall (WAF)?

While IPS and WAF are both focused on network security, they each function differently. WAF blocks and filters incoming and outgoing traffic, while IPS detects and alerts security professionals of an incursion, or takes automated action to prevent the attack, depending on the configuration.

An IPS is installed after the firewall in layer 2, while WAF is installed inline at the perimeter of the network in layer 3.

What is a Web Application Firewall (WAF)?

A Web Application Firewall (WAF) is designed to protect web applications by monitoring HTTP traffic between an application and the Internet, and then filtering any cyberattacks it detects. These attacks typically fall into the categories of cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection. As a protocol layer 7 defense, WAF is generally one of many tools employed to create a more robust defense against a wide range of attack vectors.

When deployed ahead of a web application, WAF acts as a reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server, thus shielding against attacks.

A WAF utilizes a set of rules called policies which are designed to mitigate vulnerabilities in the application by blocking malicious traffic. One of the advantages of deploying WAF is the ability to quickly modify policies to address changing attack vectors. This makes this type of security solution highly adaptable, which is particularly useful during a DDoS attack where rate limiting can be rapidly implemented by simply modifying WAF policies.

Smart Perimeter Protection with NETSCOUT Arbor Edge Defense