Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS)

Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS)

An Intrusion Detection System (IDS) monitors network traffic to detect threats and raise alerts to a management system. An Intrusion Protection System (IPS) inspects network traffic, detects threats, and automatically takes action to avert the attack.

Similar to a firewall, IPS is deployed inline in the traffic flow. IPS is an active network component that examines every passing packet and takes remedial action per its configuration. In contrast, IDS is a passive component typically not deployed inline, and instead monitors the traffic flow via span or tap technology to raise notifications.

IDS, IPS and Firewall Integration

The detection function of IDS and IPS overlap so that current market solutions often integrate these functions. Configuration options allow the administrator to control whether only alerts are raised (traditional IDS), or whether evasive action is also taken (traditional IPS).

IPS and firewall technology may also be integrated due to the similarity of their rule-based policy actions. A firewall typically allows or denies traffic based on ports or source/destination addresses. IPS compares traffic patterns to signatures and allows or drops packets based on matches found.

Overall solution performance improves when unpacking and analyzing a packet only once, and then simultaneously applying all the desired policies, notifications and actions.

IDS/IPS Protects You Against These Threats

A breach or intrusion is any unauthorized access or activity in a network or compute system. Threat actors exploit diverse methods and vulnerabilities to access confidential resources, steal private data, alter data, destroy resources or block legitimate access to resources with the goal of impairing productive business operation. Threat actors are motivated by a wide range of goals: monetary gain, revenge, disgruntled employees, ideological or political conflict, or for competitive advantage.

The attack surface is the area of your network and other digital operations potentially open to intrusion by unauthorized access. The more connected your network and resources are, the broader the attack surface. Traditionally, internal enterprise networks were shielded from the outside world either by denying Internet access altogether, or by allowing it only behind the beefy firewall in the data center. But with the advent of the digital transformation—trends in mobility, Internet access everywhere, cloud-based computing, cloud-native companies and services, work-from-home on a scale unimaginable before 2020—businesses now thrive or fail on the very extent of their connectiveness. The attack surface is huge. Vigilance is imperative.

How does IDS/IPS Detect Threats?

IDS/IPS systems detect suspicious or unauthorized activity: phishing attacks, virus infection and distribution, malware and ransomware installation and download, denial of service (DOS), man-in-the-middle attacks, zero-day attacks, SQL injection. Cyberattacks trend towards increasing sophistication over time.

E-commerce is now essential to all economic activity and the exposure to known and new (unknown) threats escalates daily.

  • Known threats are typically detected by matching traffic patterns against signature patterns. Frequently updated databases contain vast troves of signatures characterizing existing threats. IDS/IPS systems continuously look for matches against known signatures.
  • Unknown threats are malicious patterns never seen before—sometimes evasive variations of known threats—and are significantly more arduous to detect. IDS/IPS uses behavioral analysis to pinpoint potentially anomalous traffic patterns. Models of “ordinary” network behavior are established and updated using machine learning, heuristics and AI. IDS/IPS continuously compare actual network traffic with these models to recognize potentially inconsistent behavior that might indicate an intrusion event.

Types of Intrusion Detection Systems (IDS)

Intrusion Detection Systems generally come in two flavors.

  • Network Intrusion Detection Systems (NIDS): The system is part of the network infrastructure and monitors packets as they flow through the network. NIDS usually co-resides with devices that have span, tap or mirroring capability, such as switches.
  • Host-Based Intrusion Detection Systems (HIDS): This software resides on client, computer or server devices, and monitors events and files on the device.

Types of Intrusion Protection Systems (IPS)

There are multiple types of Intrusion Protection Systems.

  • Network-based Intrusion Prevention System (NIPS): This system is deployed inline in the network infrastructure and examines all traffic in the entire network.
  • Wireless Intrusion Prevention System (WIPS): This system is part of the wireless network infrastructure and examines all wireless traffic.
  • Host-based Intrusion Prevention System (HIPS): This software resides on client, computer or server devices, and monitors events and files on the device.
  • Behavior IPS: This system is part of the network infrastructure and examines all traffic for unusual patterns and behavior in the entire network.

IDS/IPS in a Versa Secure SD-WAN

Versa’s Secure Cloud IP Architecture offers a unique Secure SD-WAN solution in an integrated single-stack, hardware-agnostic software-only offering that scales to the needs of any network. The integration of security into the very fabric of the solution simplifies your network architecture, reduces the number of devices to manage, and limits the attack surface.

The Versa Secure SD-WAN single-pass parallel-processing architecture ensures the highest IDS/IPS inspection performance and obviates the need for dedicated single-purpose intrusion inspection devices. Ground-up integration of security within the Versa stack ensures full IDS/IPS functionality is available everywhere in your network to protect against every Internet, public network, personal mobile device, or IoT connection.

A key aspect of Versa’s Secure SD-WAN software-defined security is the contextual intelligence and awareness of users, devices, sites, circuits and clouds. This enables robust and dynamic policies that support a multi-layered security posture. For example, IT can deploy contextual IPS policies for specific users and devices, when utilizing certain site-to-site or Internet links.

Versa’s true multi-tenant architecture—which encompasses complete segmentation and isolation of the data, control and management planes—means that customized IDS/IPS policies can be defined for every sub-network, organization, or business unit within your network.

The Versa Secure SD-WAN is recommended by NSS labs. The NSS Labs test report shows the Security Effectiveness of Versa’s FlexVNF software was able to block 100 percent of the evasion vectors tested, and provided attack coverage of 99.8% for static exploits.