Enterprises mainly use two types of systems to deal with network intrusions – Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). While the two systems are primarily similar, it is important to understand the major aspects which distinguish them.
Intrusion Detection Systems (IDS) operate through a process where events on the network are monitored and analyzed to detect possible incidents of trespassing or violation of security markers. This is mainly a reactive process where all incoming and outgoing network activity is monitored and any signs of intrusion in the systems that could jeopardize the business are flagged. Its main function is to raise an alert when it discovers any such activity and hence it is commonly known as a passive monitoring system.
IDS uses the following techniques to detect attacks –
Signature-Based Detection
Through this method, IDS detects an attack with a pattern or signature that corresponds to a known type of attack — signatures are compared to past observed events to identify a possible attack. For example, an IPS system would flag an email with a subject line like ‘Free pics’ as it is a known signature of malware. This kind of detection is effective for detecting attacks that are logged in the system.
Anomaly-Based Detection
In the Anomaly-Based Detection method, IDS matches network activity against a normal profile of activity. When network activity is observed that is anomalous to this normal profile, the system can flag it. For example, IDS will detect an incident when it observes large amounts of data, flow on a network which is considerably higher than the normal pattern. However, in this type of method, the profile must be continuously updated as false positives may occur.
Intrusion Prevention Systems (IPS) are a step forward from IDS in terms of capabilities. Where IDS is a reactionary mechanism, IPS is proactive and attempts to go one step ahead of detection, actively seeking to prevent the detected threat from succeeding. It is an active control mechanism that monitors the network traffic flow. It identifies and averts vulnerability exploits in the form of malicious inputs that intruders use to interrupt and gain control of an application or a system.
IPS technologies attempt to stop a detected attack from succeeding through some of the below actions:
Terminating network connection
The IPS can attempt to stop a detected attack within the network by terminating the connection being used for the attack and access being blocked to the target from the offending account.
Automating security controls
On detection of an attack or vulnerabilities within a host, an IPS can attempt to prevent damage by applying some preset automated security controls by downloading of patches or reconfiguring the settings of a firewall.
Attempt to make the attack benign
An IPS can attempt to tackle an attack by trying to make it benign, like removing a malicious attachment from a mail.
Seqrite’s Unified Threat Management (UTM) offers a one-stop solution for all enterprise security needs which includes intrusion detection and prevention as a standard feature.
UTM’s in-built IDS and IPS components keep enterprises safe by:
- Monitoring, evaluating and catching threats in real-time
- Preventing Denial of Service (DoS)/Distributed Denial of Service (DDoS) attacks
- Preventing the discovery of open ports by attackers
Seqrite UTM’s IPS acts as a security barrier against unwanted intrusions into your network and forestalls a broad range of DoS and DDoS attacks before they penetrate the network. Deploying this level of protection can benefit an enterprise in various ways, including:
- Providing a snapshot of network security at one glance
- Protection of enterprise assets within the network
- Triggers raised on detection of any suspected breach or activity in the network
- A holistic approach towards prevention of intrusions
