Visibility Solutions

Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.

Resources

Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.

Blog

The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners

Partners

Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.

Company

Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.

Contact

Whether you are ready to make a network TAP your foundation of visibility or just have questions, please contact us. Ask us about the Garland Difference!

IDS vs IPS Go-to Tools for Modern Security Stacks

As new threats emerge every day, the risks companies face not properly securing network data is growing more widespread and costly than ever. 15% of data breaches involve Healthcare organizations, 10% in the Financial industry and 16% in the Public Sector1, with the banking industry incurring the most cybercrime costs in 2018 at $18.3 million (average cost per company)2.

Many industries face severe consequences as stricter legislation passes across the world enforcing data compliance with data privacy legislation like HIPAA, ISO 27001, SOX and more. In 2018, HIPAA had 25,912 complaints and 431 data breach investigations, leading to $28.7 million in fines for just the top 10 companies breached3.

When companies are building their IT security strategies to combat these threats, two of the most important network security tools used to detect and actively block threats into the network are Intrusion Detection System (IDS) and Intrusion Prevention System (IPS).


Previously we reviewed Out-of-Band vs Inline Network Security and which tools were associated with the two strategies. It is important for security teams to keep on top of the latest best practices for deploying and managing these critical tools, as the security landscape evolves. So let’s dig a little deeper on these two bedrock solutions.

Critical Cybersecurity Solutions

As SecOps face the ballooning threat of data breaches, compliance fines and policy enforcements, IDS/IPS technology have become the go-to tools in modern security stacks.

IDS/IPS are relatively hands-off and can be deployed with limited resources, providing high level peace of mind that the network is protected from threats — which is attractive to both smaller networks and enterprises. Many companies also implement IDS and IPS solutions to fulfill certain compliance regulations by addressing a number of the CIS Security controls and auditing data.

IDS vs IPS and how they work

An Intrusion Detection System (IDS) is a network security tool that analyzes network traffic for malicious activity, vulnerability exploits or policy violations that are attempting to infiltrate or steal data from a network.

The IDS detects threats by comparing current network activity to a known threat database, looking at several key behaviors like security policy violations, malware, and port scanners. Any violation or intrusion activity is either reported to the administrator or collected using a security information and event management (SIEM) system. The SIEM can be used to distinguish malicious activity from false alarms.

Diagram: Traffic flow of a hacker triggering an IDS solution

An Intrusion Prevention System (IPS) is a network security tool that works to detect and block identified threats. In the same wheelhouse as a Firewall, the IPS actively denies network traffic if a packet represents a known security threat based on security profiles.

The IPS continuously monitors live network traffic 24/7, looking for malicious incidents and capturing information about them. These events are reported to the administrators, while taking preventative action, including blocking traffic, alternate firewall configurations or closing access points to prevent future attacks. IPS are also used to identify corporate security policy violations, combating unwitting actors or deterring employees and guests probes.

Diagram: Traffic flow of a hacker triggering an IPS solution

IDS vs IPS, what are the differences?

The IDS and IPS both analyze network packets and compare the contents to a known threat database. The key high-level difference is that an IDS is a monitoring system, while IPS is a control system.

An IDS doesn’t alter packets, it is a passive “listen-only” detection and monitoring solution that doesn’t take action on it’s own.

Where an IPS is a control system that accepts or rejects packets based on the ruleset, actively preventing packet delivery based on the contents, similar to a firewall preventing traffic by IP address.

IDS deployments do require admin staff or another system like a SIEM to analyze the results and take the appropriate action. The IDS cannot take automatic actions against hackers capable of exploiting these vulnerabilities once they enter the network, leaving the IDS inadequate for threat prevention. IDS typically are positioned as a post-mortem forensics tool for the SecOps or computer security incident response team (CSIRT) for security incident investigations.

The IPS, on the other hand, is designed to catch dangerous packets in the act and drop them before they reach their target. Acting on its own to make decisions, which requires regularly updating the database with new threat data.

There are a few things to note about both IDS and IPS — they are only as effective as their threat databases, and need to be kept updated when new attacks break out.

And, why are these two different tools? The IDS was originally developed as a listen-only monitoring tool because the analysis required could not keep pace with the direct communications traffic of the network infrastructure. And that is where it has stayed, a forensics detection solution, while the IPS was developed to take it a step further to actively block. 

Yes, there are vendors that provide both IDS and IPS functionality in one. There are solutions that have integrated IPS systems with firewalls creating a Unified Threat Management (UTM) technology. But both IDS and IPS have found their use as the go-to tools for Modern Security Stacks.

>> Download Now: IT Security Whitepaper

How to deploy and manage an IDS / IPS

With the IDS being a listen-only monitoring solution, it is placed out-of-band on the network infrastructure, meaning that it is not analyzing real-time traffic but is receiving a copy of the data.

The two ways an IDS tool access this data is through SPAN / mirror ports on the switch or through the industry best practice network TAPs. SPAN is generally used for low utilization applications and are known to drop or alter packets, possibly masking threats. The network TAP creates full duplex traffic copies that pass physical errors and provide the flexibility to send this data to multiple destinations. If the IDS is processing many network segments, a network TAP and network packet broker are used to streamline the data to optimize security detection. If you are deploying a virtual IDS systems, the same concept would incorporate a virtual traffic mirror or cloud TAP like Garland Prisms.

Diagram: Traffic flow of a hacker triggering an IDS solution with Network TAP visibility


The IPS utilizes a different deployment strategy. Being an inline device means the IPS is sitting directly in the path of critical segments. This is great for its purpose of blocking threats before they get into the broader network but also pose logistical challenges like what would happen if the device failed, and how do you properly update or optimize once it is inline?

Modern IPS tools may have add-on options for internal or built-in bypass, which may be useful in some failure use cases but leaves open additional vulnerabilities like software failures and doesn’t provide the flexibility to sandbox, troubleshoot and optimize and the cost tends to outweigh the industry best practice of utilizing an external bypass. Bypass TAPs reduce network downtime with “inline lifecycle management” which allows you to easily take tools out-of-band for updates, installing patches, maintenance or troubleshooting to optimize and validate before pushing back inline. Designed to eliminate single points of failure within your network.

As a recent EMA [Enterprise Management Associates] report states, “Research found that extensive use of external bypass devices is a best practice….Bypass devices tend to prove their value once deployed. For instance, 92% of enterprises had a bypass device engage itself in the past year to prevent downtime, and 81% reported multiple engagements within the last year.”4

Diagram: Traffic flow of a hacker triggering an IPS solution managed with a Bypass TAP

With the growing number of security tools, we hear from IT teams looking for ways to simplify their security stack by incorporating inline hybrid devices like Garland’s EdgeLens, which allows you to manage a whole host of both inline and out-of-band tools including both the IDS, IPS and SIEM from one device, providing the reliability of a bypass TAPs with the advanced features of a packet broker.

Looking to add inline or out-of-band security monitoring solutions, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.

IT security garland Technology tool deployment

1-https://enterprise.verizon.com/en-gb/resources/reports/dbir/
2-https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50
3-https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html
4-https://www.garlandtechnology.com/wp-ema-security-visibility

Written by Todd Cain

Todd has over two decades of experience in Technical Sales and Solutions Consulting.  He began his career in the USAF as a Telecommunications Specialist.  Since then his focus has been helping customers understand and deploy Network Test, Monitoring, and Visibility Solutions.