IDS vs IPS

I'm studying for my Security+ using Darril's book (great read by the way) and I'm reading about IDSs and IPSs...I was wondering why you would install an IDS when they only detect attacks....wouldn't it make more sense to just use an IPS to detect and prevent the attack?

Find more posts tagged with

Comments

lsud00d

They serve somewhat different purposes, have different price-points, and are used in conjunction with other products to do potentially overlapping duties.

Node Man

Im new to all this and may be wrong, but if i remember from ICND1 reading - IDS may be used when the network admin wants to monitor potentially bad packets. In other words, isnt positive the traffic is harmful. Whereas IPS, is more like a firewall and just prevents the traffic.

f0rgiv3n

IDS is cheap. IPS is expensive.

IDS is easy to install, it can be "off to the side" plugged into a port on a switch that's mirroring all traffic.
IPS is more difficult because it is more often installed "in-line" which requires downtime.

IPS can also present more risk because it will be "automagically" manipulating/blocking traffic based on its definitions. Some peoples' networks cannot have that happen with the risk of false positives occurring.

Those are the biggest reasons that come to my mind.

bobloblaw

Exactly what f0rgiv3n said.

glenn_33

clears things up a bit! thanks guys!!

docrice

I could talk about this all day. Here's my short version:

An IPS is essentially an IDS that's inline. Even if you're able to configure the IPS to never drop anything, the fact that it's in a direct physical path where traffic has to traverse from client to server (or vice versa) means yet another potential failure point due to power outages, faulty hardware, software bugs, etc.. Commercial IPS appliances typically use relays that allow the wire connection to fail-open (traffic flows through when power to the inline sensor appliance is lost) but there could be a several second gap depending on the vendor in question.

Snort, for example, is really good technology and can run in either IDS or IPS mode (and it's free!). Same thing with the commercialized variant under the Sourcefire brand which is just open-source Snort under the hood with some additional capabilities. The upside with an inline IPS unit verses a passively-monitoring IDS is that you can actively block things. It makes it an access-control device like a firewall but with granular signatures, essentially making it an antivirus for the network. Given the nature of attacks old and new, it must inspect all aspects of the traffic from layer 2 through 7 which means sufficient processing power must be place so the latency caused by inspection is minimized as much as possible, otherwise people will notice the slowdown. Wire latency is a big deal when inline for obvious reasons.

You can prevent bad things from happening when inline (assuming it's a true positive), but the upside of being inline is also its downside and if you have false positives, you're dropping traffic ... potentially really critical traffic. Most people don't opt to tune their sensor config for their environment and to run an IPS correctly you need to really understand the traffic characteristics specific to your network at a low level. Understanding IDS / IPS is not as simple as administrating firewalls.

The upside with an IDS is that it's not inline and if you have a false positive, you didn't break anything. The downside is that you can't actively stop real attacks that are properly identified, only respond to them after-the-fact. If it's a false positive, you end up on a wild goose chase and wasting your time, but that's the same thing with an IPS as well. But because it's not inline and can't block things, it falls into a very different category - auditing. Same technology as the other, but its purpose becomes a separation point from what an ACL essentially provides.

The fact that a false positive when inline means immediate disruption might cause a lot of organizations to run a conservative ruleset / filtering policy, which means less protection. You're essentially downgrading the security in that sense compared to the full potential that could be provided. When you're not inline, you can run more aggressive rules which potentially increases the chances of false positives.

So IDS and IPS - same technology, same box, but depending on the mode you're in, it's treated in a slightly different manner. A lot of organizations need that "I have an IPS that's inline" compliance checkbox and that's what they buy it for, a lot of times without understanding the administrative cost associated with it. Usually the physical ports on the appliance can be converted for use as either monitor-only or as an inline pair (where traffic flows into one, gets inspected, and if it gets a thumbs-up from the policy engine, flows out the other interface).

The commercial appliances are expensive but that's because it has to do more work than traditional stateful-inspection firewalls as well as the newer application-level inspection firewalls since it has to look for all kinds of protocol anomalies, perform stream reassembly, watch for known evasion tactics, potential reputation matching, and complete payload de-obfuscation / interpretation - all at wire speed. Some firewalls (sometimes marketed as UTM - unified threat management) might have a built-in IPS function as part of its design or accommodate a module that's dedicated for IPS capabilities, but using it means reduction in overall throughput since the appliance now has to dedicate processing cycles for deeper inspection of traffic affected by the IPS policy.

There's a place for dedicated IPS-only appliances as well as IPS that's built into firewall-marketed appliances. I generally like point solutions as they usually offer much better visibility and configuration / tuning, but for a lot of people it's too much to manage and a simpler solution with the IPS as part of the firewall makes much more sense and usually cheaper.

the_hutch

Well, I'm not going to try to compete with that. Docrice's post gets my stamp of approval. Thread closed, lol

traceyke

the_hutch wrote: »

Well, I'm not going to try to compete with that. Docrice's post gets my stamp of approval. Thread closed, lol

Agreed! I learned soooo much after reading docrice's post. He wrote it in such a concise manner.