IDS vs. IPS: Experts say use both
- By William Jackson
- Oct 19, 2005
At first glance, intrusion detection and intrusion prevention systems look quite a bit alike. They both examine traffic going in and out of a network, looking for things that don't belong.
But there are significant differences that make some administrators reluctant to abandon IDS and just as reluctant to adopt IPS.Intrusion detection
An IDS examines packets, gathers information, logs it and can alert administrators when it thinks something bad is happening. It is up to the administrator to decide what action to take. Because the IDS does not make decisions about blocking traffic, it can take its time and can provide large amounts of data about network activity.
Administrators can be confident that legitimate traffic is not being blocked and that they have all the information they need to make decisions. But on the other hand, they have to respond to those alerts and someone has to go through all of those logs if they are to be useful.Intrusion prevention
An IPS not only examines network traffic, but can also automatically block traffic it thinks is inappropriate or malicious. This takes a burden off the administrator, but many are uncomfortable with turning that responsibility over to a machine. Bonuses and even job security can depend on whether the wrong traffic gets blocked.
Because an IPS must make its decisions on the fly, it does not have time to examine packets as closely and to compile log data that might be needed later.
'Ideally, you would have one box do it all,' said Gregory Tepe, director of federal security solutions for Enterasys Networks Inc. of Rochester, N.H. But the different requirements mean that for the foreseeable future, different products will likely be needed to do these jobs.
'In the future, IPS boxes are going to have to be smarter,' and integrate with other vendors' firewalls, antivirus and other security products, said John Trollinger, with the security technologies group of Cisco Systems Inc.
But despite a trend toward all-in-one platforms that combine firewalls, virtual private networks and IPS appliances, Trollinger does not see these appliances replacing standalone devices.
'I don't think that will ever go away,' he said.
William Jackson is freelance writer and the author of the CyberEye blog.