Intrusion detection system (IDS) and intrusion prevention system (IPS) technologies – often combined as intrusion detection and prevention (IDPS) – have been in use for decades, yet they remain important cybersecurity tools even in the face of today’s rapidly changing cyber threats and complex IT environments.
An ideal security stack provides continuous protection without gaps. IDS and IPS solutions help fill in the gaps between endpoint protection, firewalls, and other parts of the security stack. In fact, as evidence of their ongoing importance, IDS and IPS features are increasingly becoming part of those other solutions.
IDS and IPS share many common features, but the consensus “best” tool may not provide the best option for all organizations. While organizations of all sizes can benefit from increased insight into network and endpoint activities, the correct tool for the job will be the one that fits an organization’s specific requirements the best. Here we’ll discuss a range of IDS and IPS use cases and even suggest the best tools based on your network complexity, from the smallest businesses to the largest enterprises.
See the Best Intrusion Detection and Prevention Systems (IDPS)
Why We Still Need Network Detection and Protection
Even the smallest organizations know that they should implement firewalls and endpoint protection solutions. However, even in smaller networks, these basic defenses can leave a gap for attackers to exploit.
For example, Mandiant researchers discovered a threat actor that ran attacks off of equipment usually ignored on the network such as wireless access point controllers, storage area network (SAN) arrays, load balancers, and video conferencing camera systems.
This equipment usually cannot be protected by antivirus solutions or device-specific firewalls. However, we can watch over the network traffic coming and going from these devices to detect unusual and malicious behavior.
Also read: Best Network Monitoring Tools
IDS vs. IPS
IDS and IPS solutions can be host-based and monitor a specific device, or they can be network-based and monitor the local network. These solutions can, like antivirus software, use signature-based technology to identify known malware attacks, but many new IDS and IPS also incorporate anomaly-based algorithms often boosted by artificial intelligence (AI).
Intrusion detection system (IDS) solutions passively monitor activity and send alerts to a security team. Intrusion prevention system (IPS) solutions do the same, but under specific conditions, they can also take action to protect the network such as adding ISP addresses to a firewall blacklist or putting an endpoint or application into quarantine.
Alerts generated by IDS or IPS tools can be sent directly to a security team for follow-up. Larger security teams will send the alerts to a Security Operations Center (SOC) or a Security Information and Event Management (SIEM) tool to provide context for other alerts and provide information about the health of the network or system protected by the IDS/IPS.
Beyond IDS & IPS
IDS and IPS are older technologies and have been surpassed to some degree.
Next-Generation IPS (NGIPS) tools have been developed that add application and user control features to detect a wider range of attacks. Other NGIPS tools add sandboxing features for automatic and manual inspection of potential malware.
Many of their features have also been incorporated into Next-Generation Firewalls (NGFW), Unified Threat Management (UTM) solutions, or Extended Detection and Response (XDR) tools. To some degree Endpoint Detection and Response (EDR) tools also perform as a host-based IPS for endpoints as well.
All of these tools exist to detect threats, send alerts, and, where allowed, take action to protect the systems. Naturally, these newer technologies are more expensive and encompass other security features, so for now we’ll focus specifically on IDS and IPS technology and leave the advanced tools for another day.
See our picks for the Best EDR Tools
IDPS Limitations and Factors to Consider
While very useful, IDS and IPS solutions face limitations in complex modern networks such as packet visibility and availability. After all, these solutions can only take action on packets they can inspect.
The most significant barrier to visibility is encryption. Although encryption helps to protect data from interception, encrypted traffic needs to be decrypted for IDS or IPS to inspect and analyze the contents.
Some tools offer decryption capabilities, but this process can reduce performance and, ironically, introduce a security risk. The U.S. National Security Agency (NSA) warns that while transport layer security (TLS) inspection can block encrypted malicious activity, it may also weaken encryption or allow attackers to access decrypted data from the solution performing the inspection.
To counter these weaknesses, organizations should be careful to deploy decryption sparingly and ensure their highest levels of security defend any solution performing the decryption.
Resource sprawl and traffic bloat can also cause problems for efficient and effective IDS/IPS analysis. In our modern IT environment, remote users now access remote resources such as SaaS solutions and cloud data storage that lay outside of the network.
Traffic or logs outside of the network would need to be routed to a central IDS or IPS for analysis if we want to keep an eye on our entire environment. However, while this improves our visibility, some solutions will also be overwhelmed as they try to inspect larger file sizes, video streams, and Zoom call data.
To avoid user complaints and performance hits, IT managers should consider the following factors in selecting an IDS or IPS solution:
- Budget (as always)
- Current and future expected traffic volumes
- Inputs to the IDS/IPS solution
- Cloud applications
- Cloud resources (data repositories, SaaS tools, etc.)
- Internet-of-things (IoT) devices
- Operational Technology (OT)
- Inspection focus (network vs. server vs. entire environment)
- IT environment complexity (segmentation level, distributed or local networks)
- Location of users (local or remote)
- Security team evaluation: maturity, capabilities, and capacity
Of these factors, the security team evaluation may be the most critical aspect for consideration because any IDS or IPS solution will be useless if its alerts will be ignored by an overwhelmed team. The type of IDS or IPS appropriate for a few multitasking IT employees will be far different from the tool appropriate for a dedicated security team manning a robust SOC or SIEM.
Also read: CNAP Platforms: The Next Evolution of Cloud Security
IDPS Use Cases & Best Products
IDPS consideration factors tend to result in a spectrum of decision points with many gray zones. However, to illustrate specific use cases and tools we will generalize these factors as we consider solutions from the most complex to the most niche.
Diverse Networks + Cloud Resources
Large enterprise organizations with many cloud resources, remote users, and dispersed local area networks in many separated offices need very robust capabilities from any IDS or IPS solution. These solutions will likely need to be cloud-based or deployable to effectively and efficiently monitor cloud and remote user activity.
Five possible solutions that potentially meet these requirements are:
- Fidelis Network IPS (software)
- Part of Fidelis ecosystem
- Protects endpoints, cloud applications, and containers
- Palo Alto Networks IPS (virtual or physical appliance, cloud)
- Integrated into Palo Alto firewalls
- Integrates vulnerability protection, anti-malware and anti-spyware detection
- TrendMicro IPS (physical or virtual appliances)
- Deep packet inspection
- Incorporates antivirus signatures and anomaly detection
- Vectra Cognito (cloud)
- AI powered analysis of public clouds, SaaS, user ID, etc.
- Uses Vectra’s cloud platform
- ZScalar Cloud IPS (SaaS)
- Fully scalable solution based upon number of users and traffic volume
- Supports widest range of devices: iOS, macOS, Android, Windows, some Linux
All of these solutions offer some forms of decryption to analyze encrypted traffic and sandboxing options to further investigate potential malware. These solutions also tend to be more expensive.
Diverse Local Networks
If a large organization does not need to inspect cloud resources, they can deploy one or more IDS or IPS solutions to inspect the traffic on their local networks. When routing all of the traffic through these solutions, IT managers need to be concerned about throughput performance so that modern video conferencing and other time-sensitive applications will not suffer disruption.
Five possible solutions that potentially meet these requirements are:
- Check Point Quantum IPS (appliance solution)
- Embedded feature in next-generation firewall
- Up to 15 Gbps integrated IPS performance
- Cisco Next Generation IPS (virtual or physical appliance)
- Advanced IPS integrated in Cisco devices or as a standalone solution
- Embedded DNS, IP and URL security intelligence
- Hillstone Networks (appliance solution)
- High-speed dedicated IPS appliances with cloud-based management
- Application-aware detection from layer 3 through layer 7
- SolarWinds SEM (software)
- Offers SIEM capabilities and log analysis
- Supports Windows, MacOS, Unix and Linux log files
- Zeek (Open-source software)
- Leading open-source IDS with many customizable options
- Large community support but limited commercial support
These solutions tend to range from mildly to quite expensive but generally offer commercial customer support. The open-source exception, Zeek, can be purchased as an appliance from Corelight with commercial support or it can require a very experienced and technical team to manage the solution.
Simple Local Network
Smaller organizations often have simple networks with most of their endpoints plugged into simple routers with a smaller number of users. These organizations will often be more worried about budgets than performance and seek inexpensive open-source solutions managed by a small team of security experts.
Five possible solutions that potentially meet these requirements are:
- Sagan IPS (software)
- Focused on log analysis, compatible with Snort and other tools
- IP locator feature
- Samhain IDS (host-based software)
- Checks log integrity and can feed data into a central monitoring repository
- Lightweight and can obscure its presence from attackers
- Security Onion IDS (software)
- Linux IDS for host and network monitoring
- Can perform live network traffic analysis and store packets to file
- Snort IPS (software)
- Broad user base and supported by Cisco
- Sniffer, packet logger, intrusion detection
- Suricata IDS (software)
- Open-source network traffic analysis
- Can monitor TLS, HTTP, and SSL protocols
All of these open source tools can be obtained for free and help monitor a local network. These tools can also be integrated into more sophisticated SOC or SIEM solutions as a data feed.
Unfortunately, all of these tools also require fairly sophisticated technical skills to deploy and configure the tools correctly. Smaller teams without strong technical skills may need to obtain outsourced assistance.
Niche Needs
Sometimes IT professionals need a specialty tool for a specialty need. In these situations an open-source specialized IDS or IPS can be installed to provide a security feed without increasing the security budget.
Four possible solutions that potentially meet these requirements are:
- AIDE IDS (host-based software)
- Open-source file integrity checker
- Runs on MacOS and Unix/Linux systems
- Kismet IDS (software)
- Open-source wireless traffic sniffer and wardriving tool
- Exposes unauthorized access points
- OpenWIPS-NG IPS (software)
- Wireless intrusion prevention system
- Lightweight command-line interface
- OSSEC and OSSEC+ IDS (host-based software)
- Host-based open source monitor for system files, windows registry, etc.
- Monitors log file checksums to detect tampering
While all open source and free tools, these tools also require a security team to use effort to make up for lack of features or difficulty of use. However, if a team needs a lightweight tool to monitor a wireless network or log files on a particularly sensitive server, these tools may be perfect.
IDS & IPS Remain Relevant
Everyone wants to be as secure as resources will allow and IDS or IPS solutions can provide insight into critical resources such as servers and networks. Every security team should include IDS and IPS solutions into their security stack in some form.
This article provides a quick overview of the broad generalities for IDS and IPS solutions. Very specific conditions and needs might require more in-depth understanding of the tools or overlapping technologies.
For organizations without strong technical teams, there are also plenty of managed security service providers (MSSPs) or managed IT service providers (MSPs) that can provide expertise as a service.
Read next: The Best Next-gen Firewalls (NGFWs)