Forrester Research, in a report comparing 14 of the most common network security tools, concluded that the most critical network defenses are firewalls. Among the other contenders, intrusion prevention systems (IPS) were cited as the tool most worthy of a company’s IT security dollars.
The value of IPS is often overlooked, stated the report, Network Threat Mitigation. A big reason could be that the devices have long suffered from an association with intrusion detection systems (IDS). Many organizations have adopted IDS only to find that the devices were costly, produced too many false positives, and were difficult to manage, according to the report.
The two kinds of devices are frequently seen separated by a slash (IDS/IPS). But though the tools may have originally shared some similarities, they are actually extremely different. IPS is a sophisticated, proactive way to block network threats, according to the report. IDS has increasingly become a reactive tool, good for uses such as forensics.
In a Forrester report released earlier this year, IDS/IPS differences were stated more starkly. “The security industry has evolved beyond the time when IDS provided any real security benefit to an organization,” wrote John Kindervag, lead author of the report, If You Don’t Have IPS, You Deserve to Be Hacked.
Not all analysts are so quick to dismiss IDS solutions. When skillfully operated, they can offer hard-to-match network visibility, says Joel Snyder, senior partner at Tucson, Arizona-based Opus One. While acknowledging that head-to-head, IPS is usually a better security investment, he says that IDS has its uses. Regular IDS use could be most appropriate at medium and large companies, which are more likely to have the necessary resources and staff know-how, he says.
But smaller companies could benefit from occasional use. Snyder says when he first began researching IDS, he felt he had a strong sense of his relatively small firm’s important network activity. Even though he had little IDS experience, as soon as he plugged the tool in, it began to show him numerous problems and activities that warranted more investigation. By using IDS, a security manager can generate statistics, logs, and other data to identify “anything you should know to keep your network clean,” says Snyder.
The Forrester report mentioned the importance of both network and Web application firewalls. One promising emerging technology, it also stated, are firewall auditing tools, which automate firewall and router configuration review.
The strengths of IPS were particularly emphasized. The devices have been pulling ahead of IDS in recent years in traffic analysis sophistication, according to Forrester. Compared to IDS, IPS relies less on signature-based detection, which many say is a main reason for IDS’s high rate of false positives.
IPS is also better at analyzing network packet data, including characteristics such as port utilization and Internet Protocol address destinations and sources. IDS can only see traffic from one direction; IPS sees both sides, states the report. Such advances have made IPS highly effective at blocking “real-time” threats, according to Forrester. Many organizations may have been avoiding IPS due to fears about blocking good traffic, states the report. But Forrester calls such fears “unfounded.”
In addition, IPS is more likely to have centralized graphical user interfaces, states the report. The devices also have quicker and more effective software and signature updates.
More IDS tools are coming out with IPS functionality and vice versa, which could add to the confusion, Snyder says. When investigating a product, organizations should carefully consider their needs. If a company needs visability, it should consider IDs. However, if control is more important IPs might be the answer.
Companies eyeing an IDS tool should also closely examine the product’s management console, Snyder says. An intuitive interface is probably even more important than the IDS’s detection engines, he says.
IDS is also being used more frequently in conjunction with broader monitoring and analysis tools. Used as a plug-in, IDS can be a strong addition to security information management tools (SIM), for example. Increasingly popular SIM solutions gather and cross-analyze widely dispersed organizational network and system log data.