IDSIPS Pros and Cons

Intrusion Prevention

The pros of intrusion prevention include the following:

• Protects at the application layer

• Prevents attacks rather than simply reacting to them

• Can use a behavioral approach

• Provides defense in depth

• Permits real-time event correlation

The cons are as follows :

• Generates false positives that can create serious problems if automated responses are used

• Creates network bottlenecks

• It is a new technology

• It is expensive

Intrusion-Detection and Intrusion-Prevention Myths

There are several untrue intrusion-detection and intrusion-prevention myths. These assertions repeatedly come up, even though some are diametrically opposed to others.

Myth 1: Intrusion detection and intrusion prevention are basically the same technology. Many believe that because some IDS systems have TCP kill and RESET capabilities that they are pretty much the same thing as IPS. The truth is that each of these technologies are separate in design and in function. An IPS device sits inline, and all the packets have to pass through it. If a suspicious packet has been detected , it can be dropped. With IDS this is not the case—the suspicious packets are sent on to the internal interface to be analyzed , an alert is then sent, and a response generated. The latency involved in an IDS often results in a failed response. That is because an IDS is designed for detecting intrusions, not responding to them, though they do have some rudimentary response capabilities.

Myth 2: Intrusion-detection systems give too many false positives to be of any real value. It is true that IDSs do give what appear to be false positives. Typically, signatures released by vendors are accurate, but sometimes legitimate traffic sets them off. You need to properly fine-tune the IDS for your particular network. What often happens is that an organization implements IDS and doesn’t tune it, and soon the administrators feel overwhelmed by the alerts, which are mostly false positives. If an organization starts out on small segments of the network at a time and gets the IDS tuned to better understand what is and is not legitimate, the results will be better.

Myth 3: Intrusion detection will eventually replace firewalls. Wrong! This will not happen. IDSs and firewalls perform separate and distinct functions on the network. We will likely see that most firewalls have some IDS and IPS capabilities, but IDS and IPS are just single layers in a security program, and they are not meant to replace firewalls.

Myth 4: IDS systems are on the way out, and IPS and firewalls are the wave of the future. IDSs are far from becoming obsolete. We may see the integration of IDS and IPS capabilities within firewalls and routers, but the technology remains the same and the need is apparent. The wave of the future is seeing how the two can complement each other, not in debating which is better. There is some traffic that you do not want a response to, and that traffic is better passed off to an IDS.

Myth 5: IDSs are the wave of the future. This is the opposite of the previous myth, but the answer is much the same. Both IDS and IPS technologies have a place in securing a network or host. There is no one “silver bullet” that will take care of everything. Intrusion detection is here to stay, but it is not the only technology in the game—IPS is also needed.

Myth 6: IDSs and IPSs will catch or stop all network intrusions. This seems like a ridiculous statement to the technically minded, but it is often asked by management. Yes, IDS and IPS will help to prevent and deter some attacks, but they will never be able to catch everything.

Myth 7: When an organization implements IDS or IPS, it should need fewer security professionals.

There is some truth to this myth in that automating intrusion detection can reduce the number of individuals needed to detect security breaches in systems and networks. At the same time, however, one of the big issues with IDS and IPS is that they do a good job at finding attacks, but there needs to be a trained professional on the other end who can interpret and react to the information. While this may seem like additional overhead, the attacks would be there whether or not you detected them.

Myth 8: You need real-time detection in order to get any real value from an IDS. Real time is a bit of a misnomer, as the response and identification will always come after the attack has entered the network or host. A better approach is to ask whether the alert or response is accurate and is in time for the necessary response. While faster can be better, it also has disadvantages, such as cost and more difficult data handling—data that are received in real time needs to be handled in real time.