Recently I have been involved in a debate with colleagues regarding the management of IPS (intrusion prevention system) devices versus IDS (intrusion detection system) devices. This debate centers around the level of analysis required when the device alerts on or blocks network traffic. This is an especially salient question in a managed security services (MSS) environment where analysts are responsible for the protection of customer networks and must make decisions as to the validity of an alert generated by an IDS or traffic blocked by an IPS. As it turns out, where you stand on this issue seems to depend on the paradigm through which you view these devices.
IDS systems have been around for many years and are considered a standard part of any good network security system. They typically are deployed in promiscuous mode at strategic points in the network to monitor all traffic. Since they do not have the ability to block traffic, it becomes paramount that someone is available on a 24/7 basis to respond to alerts generated by the IDS. Because false positives are relatively common in a typical IDS deployment, the analyst needs access to network traces to determine if any particular alert is a legitimate attack or simply a false alarm. This is why many companies outsource this responsibility to managed security companies as they do not have the staff available to perform this function themselves.
Analysts who have been performing this job for many years argue that in order to accurately perform these tasks, an IDS must provide detailed packet captures so that they can see what happened to cause the IDS to generate an alert. Moreover, they need to see both sides of the traffic (i.e. traffic to and from the system under attack) in order to make a proper determination. Most IDS systems provide this capability as it is a necessity when dealing with a system that only provides alerting. However, using this information requires a high level of skill and can be very time consuming.
Then the IPS came onto the scene. The IPS is typically an inline device that all traffic must pass through before being sent on to its ultimate destination. This gives the IPS the ability to easily detect and block malicious network traffic. Many enterprises are switching to IPS systems so that rather than just getting alerted to attacks, the device can proactively block them. And if your job is to manage the IPS, you may be wondering how you can perform the analysis you are used to doing for IDS alerts. The short answer is that you don’t have to. When an IPS detects an attack, in most cases it will block it. Of course this is configurable, but the whole point of using an IPS is to block attacks rather than just sending an alert. As such, if the attack is blocked, there is no need to perform any analysis. Only in the event that the IPS is suspected of blocking legitimate traffic (false positive) is analysis required. And the IPS logs will provide plenty of information to determine if a false positive has occurred.
But how do we know that the IPS is blocking/allowing what it is supposed to without any packet captures to verify the traffic? Are we supposed to trust that the IPS vendors will block all bad traffic and allow only the safe traffic? These are the questions the IDS analysts ask. In the IDS world, every alert is investigated by looking at packet captures. False positives can be determined based on this information. In the IPS world, traffic the IPS deems as malicious is blocked. And unless there is a complaint, the analyst doesn’t really need to worry if it was a false positive. In the case of a false negative (traffic that should have been alerted/blocked, but was not), the IDS may be able to provide some packet captures for analysis assuming the analyst is made aware of the attack in a timely manner. However, in most cases this information may come too late to be any use. More information is likely to be found on the attacked host which could then be used to configure the IPS to block future similar attacks.
The IDS has served us well for many years. However, the IPS is quickly replacing the IDS in many organizations and this affects the management of these systems as well. Fortunately, it will mean less work for the analyst who will no longer have to investigate every alert generated by the IPS. Concerns about the lack of visibility into the traffic are misplaced as this is no longer required as is the case when managing an IDS. Movement to the IPS will ultimately reduce the workload of those responsible for managing these systems allowing them focus on other security related issues. This, along with the blocking capability of the IPS, will improve the overall security of networks where they are deployed.