Smarter prevention beats simple detection

There’s a silent battle that’s brewing in IT security and fighting it out are two longtime technology contenders: man versus machine.

One arena where industry observers are seeing such a contest is in network security, where the intrusion detection system (IDS) seems to be losing ground to the highly automated intrusion prevention system (IPS).

IDS devices are placed near the network, mirroring network traffic to scout and raise alerts for signs of malicious attacks. On top of every IDS deployment is a human being making the distinction between legitimate and malicious content.

On the other side is the IPS, which takes the security process one step further by blocking traffic that’s perceived as malicious based on preset parameters. Taken out of that equation is the factor of human intervention. London, Ont.-based market research firm Info-Tech Research believes that while IPS has certainly taken over IDS in the market, IDS is still the “safer choice.”

In a recent research note, the firm pointed to an IPS’s susceptibility to blocking valid traffic that may be critical to an organization’s business.

“If I set up my IPS to block (content based on) certain parameters, and valid traffic comes in that just happens to meet those parameters, that traffic [will be] blocked,” explained James Quinn, research analyst at Info-Tech.

An IDS tool, however, leaves that decision to a living, thinking human being who is “aware of the business entities for that organization,” said Quinn.

Being an inline system within the network is another “complication” of an IPS system, he said, which means network traffic would flow through the IPS, making it a “single point of failure.”

Quinn explained that the IPS switch is typically located between the front-end firewall and the core switches and routers that make up the corporate network. If the IPS fails, the connection between the firewall and the network is lost, he said.

There are two ways that the IPS can fail, Quinn explained. It can either leave the network open, in which case it disables all network protection, or it can close the network, blocking all network traffic, he said.

The IDS technology, however, is not without faults, said Quinn. Because manual decision-making is a large part of the way an IDS works, higher manpower cost is associated with this system, he said, and that’s where IPS becomes more viable; its automated response to threats requires no human intervention, therefore lowering operational costs.

For an IPS to be effective, however, some form of human involvement is still required, said Isif Ibrahima, security specialist at security consulting firm Digital Boundary Group in London, Ont.

“The portion of [the IPS] that’s automated is just the blocking (of malicious traffic), and just like an IDS it requires human intervention in specifying (the process): this is what [the system] should be watching; these are the things that can be ignored; these are the types of systems that we have,” said Ibrahima.

He admitted that the first generation of IPS did, in fact, face certain problems, including blocking legitimate traffic, but added that over the years the technology has become “a lot smarter.”

The “smarter” IPS tools of today involve engines that deploy multiple types of detection based on signatures and anomalies, explained Ibrahima. But all these processes don’t come as a pre-packaged, ready-to-deploy product. Human resource is required to tune the IPS device according to the business requirements, said Ibrahima.

Time is another downside to implementing IDS, said Michel Chahine, security specialist at Cisco Systems in San Jose, and a resource which firms don’t have when dealing with real threats.

“The IDS requires manual intervention to decide what’s going on, and in the meantime the threats of viruses and worms are becoming more sophisticated,” said Chahine.

Automation is what’s driving organizations to adopt IPS, he said. IDS does not take instant action to prevent an attack. That task is left to the security administrator “looking at alarms and events after the intrusion happens, and it’s often too late,” said Chahine.

QuickLink 062274

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now