In the past, IPS and IDS have only been defined in terms of one versus the other. While each offer their own unique attributes, the key to success may lie within a blend of the two. So how can you decipher what is offered with the two intrusion defense tools? In this article, we breakdown the main differences between IPS and IDS and how you can leverage their capabilities to protect your workloads.
IPS vs IDS
Intrusion Prevention System (IPS) is a security control tool; it inspects traffic for vulnerabilities and exploits within the network stream and can remove packets before they reach your applications. It can also act as a protocol enforcing tool by ensuring each packet you are accepting is correct for that application. For example, you can allow any HTTPS packet that comes in on 443, but also block any non-HTTPS packets like SSH on the same port. This allows you do to additional enforcement of the traffic for multiple protocols on the same network port.
Intrusion Detection System (IDS) is a visibility tool; it can alert an administrator on patterns within traffic while allowing the traffic to pass through to the application. This allows you to create IDS rules to give additional information about the traffic being accepted into your environment. For example, you might have an IDS rule to inspect SSL ciphers from servers communicating with you to ensure they are following compliance mandates and security policies. It is a powerful tool for giving in depth information without impacting your applications.
Layering Your Security
Ideally, you want to use both technologies within your environment. This allows you to use the IPS functions to protect your workloads from vulnerabilities and exploits which gives an additional layer of security within your environment. An IDS is helpful for monitoring and investigation within your environment without downtime to users or applications. This allows administrators to build additional IPS policies based on the information displayed within the IDS to keep your environment protected.
Having a tool like Deep Security which can be configured as an IPS, IDS or both is extremely useful in implementing security controls and removing vulnerabilities as well as giving you real-time information about traffic patterns and policies. Each rule within Deep Security can be configured either in Prevent (IPS) or Detect (IDS) giving you granular control of your security posture while still allowing your applications to run without impact. Combine this with our recommendation scan technology and your network security has now become context aware matching the correct IPS and IDS rules to the operating system and applications running on your workload. Deep Security only applies the rules which you need within your environment keeping your performance costs low.
Intrusion detection and prevention are valuable security tools, especially for cloud workloads when you can easily spin up a workload that’s visible to the world. By using Deep Security, you can add another layer of network security controls and visibility to your security arsenal.