What is IDS/IPS? Explaining the usage and functions | Differences from other network security

IDS/IPS is a security solution for monitoring networks and detecting threats such as unauthorized access .

The difference between an IDS and an IPS is that an IDS is only responsible for detecting threats, while an IPS can even protect if necessary .

At first glance, IPS that automatically blocks threats seems superior, but depending on the company’s network environment, IPS that automatically blocks communications may not be suitable.

Additionally, there are some threats and cyber-attacks that are difficult to detect with IDS/IPS , so companies and organizations need to consider their network environment and needs before introducing appropriate security products. It may also be effective to consider a multi-layered defense system by using IDS/IPS together with other products.

If you want to strengthen your network security, this article will help you learn the basics of IDS/IPS and the products that are suitable for your company.

We have also prepared a document that summarizes the functions of the network monitoring security NDR “Darktrace” in 3 minutes. Please use all means.

What is IDS (Intrusion Detection System)?

IDS (Intrusion Detection System) is a security product that monitors networks and detects threats such as unauthorized access .

By implementing IDS, it becomes possible to detect security incidents such as malware intrusion, unauthorized access, and data leaks. This product plays the role of prompting prompt initial response by quickly recognizing abnormal traffic and signs of attacks detected on the network and notifying security personnel.

However, since the scope of IDS is to monitor and analyze network traffic , it cannot “block attacks.” Once a threat is detected, security personnel must intervene to deal with it.

It is suitable for situations where you want to monitor the network and collect information on security incidents without directly interfering with the system.

What is IPS (Intrusion Prevention System)?

IPS (Intrusion Prevention System) is a security product that detects and prevents network security threats .

It quickly detects threats such as unauthorized access in real time and prevents intrusions.

Specifically, IPS continuously monitors the monitored network and detects abnormal patterns and signs of attacks. When a threat is detected, it automatically takes action to prevent attackers from gaining access to your system.

The advantage is that the entire process from detection to defense can be completed with a single solution .

Differences in the functions and roles of IDS and IPS

As mentioned above, the difference between the two is that IDS is only responsible for detecting threats , whereas IPS is responsible for not only detection but also defense .

IDS specializes in detecting and alerting you to unauthorized activities by third parties attempting to infiltrate your network. On the other hand, IPS covers the detection functions of IDS, but also has the added function of automatically blocking detected attacks.

The advantages of IPS are

・Being able to promptly take defensive measures against detected threats
・Being able to reduce human resources because defense is performed automatically

can be given.

IDS requires manual response after detecting a threat, and is not effective against actual attacks. On this point, since IPS automatically handles defense after detection, it is possible to promptly respond to security incidents and minimize damage without waiting for administrator judgment or manual response .

However, IPS also has disadvantages, such as the high risk of false positives . For example, if an IPS mistakenly identifies normal communication as malicious traffic, otherwise normal communication may be blocked, potentially disrupting daily operations.

Additionally, since IPS monitors the target system in real time while intervening, it can sometimes have an impact, such as degrading network performance. Be careful, especially in high-traffic environments.

In this way, IDS/IPS each have advantages and disadvantages , and neither one is superior to the other.

Which should I introduce, IDS or IPS?

It is necessary to consider the advantages and disadvantages of both IDS and IPS and introduce a system that is more suitable for your company’s environment.

As mentioned above, IDS is responsible for monitoring and analyzing the network and issuing alerts when threats are detected. Since the response after detection is left to humans and does not directly intervene in the system, it is suitable for introduction in environments where system outages due to false detections cannot be caused .

On the other hand, since IPS automatically blocks malicious traffic when it detects it, the initial response time is likely to be shorter with IPS. If you have a lot of important confidential information and the leakage of information would directly lead to a decline in trust in your company , IPS may be more suitable.

If you want to avoid false positives and emphasize stable operation, we recommend installing IDS, and if you want to improve defense performance against threats, we recommend installing IPS.

In some cases, one way is to use IDS and IPS together to take advantage of each other’s benefits.

Two mechanisms for “detecting unauthorized access” of IDS/IPS (signature type/anomaly type)

There are two types of IDS/IPS detection methods: signature type and anomaly type .
The signature type is also called “fraud detection” and the anomaly type is also called “anomaly detection.”

In the signature type, known attack patterns and fraudulent signatures are registered in the IDS/IPS database, and those whose behavior matches that data are detected as “anomalies.” The advantage of the signature type is that detection is highly reliable .

However, the disadvantage is that it cannot detect threats other than those registered in the database , so it is difficult to respond to unknown cyber attacks or newly developed malware.

On the other hand, the anomaly type is a method that learns network behavior during normal times and detects abnormal traffic that deviates from the standard as “unauthorized access.” Because it is based on traffic behavior rather than pattern files, it has the advantage of being able to respond flexibly to unknown threats .

However, false positives can occur , and normal traffic may be interpreted as malicious behavior.

▼Summary of two types of detection methods

When introducing IDS/IPS, it is a good idea to choose a product based on which detection method suits your company’s needs. An anomaly type product is suitable if you want to respond to all kinds of threats , and a signature type product is suitable if you want to detect a certain level of threat and avoid false positives .

It may also be effective to consider using it in conjunction with other security solutions to compensate for the disadvantages of each.

What threats cannot be detected and blocked by IDS/IPS?

IDS/IPS can detect and prevent malicious traffic and strengthen network security, but unfortunately it cannot detect and block all threats .

By the way, threats that can be countered include “DDoS attacks” and “SYN flood attacks” that cause system outages by accessing a target server in large quantities, and it is possible to detect unauthorized access to the OS/middleware layer.

On the other hand, they tend to be vulnerable to attack methods that target vulnerabilities in web applications , such as SQL injection and XSS attacks .

Additionally, although IDS/IPS and WAF have strengths in preventing intrusions, they are weak at detecting threats that are infected but remain latent for a long time without causing any symptoms .

Furthermore, IDS/IPS cannot monitor unauthorized access or attacks via VPN or remote desktop, which account for 80% of recent cyber attacks .

In order to counter threats such as “targeted attacks” that are carried out based on careful planning after an intrusion, and “ransomware” where 80% of intrusion routes are through VPN or remote desktop, it is necessary to be aware of the attacker . It is essential to have a system that can monitor the entire network without having to do anything .

Network security products you should know about other than IDS/IPS

There are several network security products other than IDS/IPS. Below are some typical network security examples.

You can further enhance security by combining network security products with different characteristics. Here, we will explain in detail the differences between four typical network security products and IDS/IPS .

Difference between firewall and IDS/IPS

A firewall is a security product that is installed at the entrance of a network to monitor the network and detect and prevent unauthorized access. Rules called “security policies” are set in advance, and unauthorized communications are blocked based on those rules.

The difference between a firewall and an IDS/IPS is that a firewall mainly monitors activities at the entrance of a network , whereas an IDS/IPS monitors activities inside the network .

First, a firewall blocks unauthorized access at the entrance, and IDS/IPS detects threats that have not been able to be prevented and have entered the network.

Difference between WAF and IDS/IPS

When comparing IDS/IPS, a product called WAF (Web Application Firewall) is often mentioned.

WAF is a security tool that protects vulnerabilities in websites and applications, and as mentioned earlier, the targets to be protected are different from IDS/IPS.

Attacks targeting web applications such as “SQL injection” and “cross-site scripting (XSS)” cannot be detected by IDS/IPS, which monitors inside the network.

By combining IDS/IPS and WAF, it is possible to protect systems from different cyber attacks that cannot be prevented with each tool alone.

WAF is explained in detail in the article below, so please take a look.

Difference between SASE and IDS/IPS

SASE (Secure Access Service Edge) is a concept proposed by Gartner, and is a security solution provided in the cloud that integrates network infrastructure and network security functions.

SASE’s strength is that it can provide multiple security products such as firewalls and IDS/IPS in an integrated manner, making it possible to build advanced security environments. Because of these characteristics, it would be more appropriate to say “SASE also includes IDS/IPS” rather than “the difference between SASE and IDS/IPS.”

Having multiple security products in a single solution simplifies security management and helps you build a strong security environment more efficiently.

However, implementing SASE requires a review of the network environment itself, which requires a huge amount of cost and time . The disadvantage is that it is difficult to implement unless the organization has sufficient financial and human resources.

Difference between NDR and IDS/IPS

NDR (Network Detection and Response) is a relatively new network monitoring security solution that appeared around 2020.

Although it is similar to IDS/IPS in the sense of “detecting threats on the network,” the two have different “fundamental purposes” as mentioned above.

This is because while IDS/IPS focuses on detecting and blocking unauthorized intrusions from the outside , NDR detects all types of fraud, regardless of external threats or internal fraud, including threats that are already hidden inside. This is because the product is designed for detection (monitoring the entire network from a bird’s-eye view).

In addition, IDS/IPS has the problem of not being able to identify the cause behind detected threats, but NDR covers this problem by identifying the intrusion route of malicious traffic and the cause of detected threats. Excellent ability.

Since NDR uses AI-based machine learning, it also has the advantage of having a lower operational load than IDS/IPS, which requires rule settings and pattern file updates.

What is NDR “Darktrace” that those considering IDS/IPS should know?

For those who are considering network monitoring security solutions such as IDS/IPS, we would like you to know about the NDR product Darktrace .

“Darktrace” is an NDR solution that collects packets from corporate/organizational networks and clouds, visualizes the communication status of the entire network, and detects abnormal behavior.

AI machine learning and communication analysis using mathematical theory teaches itself to detect unusual communication patterns and respond to unknown threats . Another advantage is that the AI ​​automatically determines the threat level and automatically blocks dangerous communications, making threat determination easy and requiring no management effort .

In addition to networks, Darktrace can comprehensively monitor and centrally manage a wide range of digital environments, including the cloud, telework, email, and SaaS environments, making it possible to quickly detect and take countermeasures against all types of threats.

In fact, Darktrace can take measures against all the threats listed in the “Top 10 Information Security Threats in 2023” published by IPA .

▼How to deal with the 10 major threats in NDR “Darktrace”

Although Darktrace has the disadvantage of being more expensive than IDS/IPS, it has the advantage of being able to monitor a wider range of targets and countering various cyber attacks and internal fraud.

It is ideal for those who are looking for a security solution that requires less administrative burden and can comprehensively monitor and take measures for their IT environment. For more information, please see the details below.

summary

In this article, we have explained the basic knowledge, role differences, and advantages and disadvantages of IDS/IPS.

IDS/IPS is an effective security product for increasing your company’s security, but it cannot deal with all threats. Create a security environment with layered defense by using other security products that are effective at each layer.

We have also prepared a document that summarizes the functions of the NDR “Darktrace” introduced in this article in 3 minutes. Please use all means.