-- PAGE 2 --

<< previous page next page >>

Intrusion Prevention Systems – A Review

Intrusion Detection Systems (IDSs)- functionality and shortcomings

The IPS was developed from the Intrusion Detection System (IDS). Hence, a good understanding of the IDS is necessary in order to grasp the ways in which ISPs work. In substance, the IDS is a monitoring system. It monitors the status of the network and system by implementing pre-defined security policies. An alarm is triggered when the IDS identifies attack behavior, abnormal traffic and other signatures that match pre-defined rules.

Intrusion Detection Systems (IDSs)- the advantages

1. Real time monitoring
2. An IDS does not have to block the suspicious traffic, which helps sustain high network performance and reduces faults
3. An IDS collects data efficiently to build up a reliable data flow model of network traffic and does not need split up data segments
4. The IDS features an independent working module which provides complete inspection and tracing records
5. The implementation of an IDS is cost-effective

Although many improvements have been made to IDSs, some clear shortcomings remain apparent:

1. Monitoring is passive rather than active so, although attacks might be identified, they remain unblocked at this point
2. IDSs have a tendency not to trigger alarms reliably and there is a high rate of false alarms
3. Overload of collected data and inspection information
4. An the efficacy of an IDS is reliant upon the competencies of the network administrator

A good analogy with the Intrusion Detection System can be found in airport CCTV. Just like the IDS, CCTV monitors provide passive monitoring of the security status of their environment, providing records of any crime, suspicious activity or potential security threats within that environment, but are, like the IDS, reliant upon the intervention of people (security staff) to react upon this information by implementing preventative or remedial measures based upon the information gathered. The IDS records and provides data which help to identify attacks at the earliest stage possible in order to minimize potential loss, damage or downtime. However, just as with the monitoring of CCTV, the high rate of false positives generated and the failure to report present significant problems. Likewise, neither an IDS nor CCTV at the airport can scrutinize each and every activity in each and every location, and successfully identify potential attacks based upon the evidence of behaviour alone. Neither CCTV nor an IDS have the capability to prevent malicious action in and of themselves. The value of both resides in the fact that the records they provide offer evidence which helps to identify an attack and, consequently, to take appropriate action.

The Intrusion Prevention System (IPS) is designed and developed for more active protection to improve upon the IDS and other traditional security solutions.

-- PAGE 2 --

<< previous page next page >>

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 | Page 10 | Page 11 | Page 12 | Glossary | References

Xuhua Ji, September 2007

(You are free to reproduce any of the information in this article or part thereof, so long as the byline remains intact and a link is provided back to this page)

    add to del.icio.us

We offer Windows Server 2003 and Windows Server 2008 training courses: read more

Further reading on network security