Intrusion Detection and Prevention Systems

Intrusion Detection Systems (IDS) vs Intrusion Prevention Systems (IPS): What’s What?

An Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) have very similar acronyms by which they are commonly known, yet they perform very different tasks within the network security process. So what exactly do they do, how do they do it, and does your organization need either, neither, or both as part of your overall security posture?

Intrusion Detection System

Definitions are important in the security world—you have to understand what you are dealing with before you can accurately determine if it's a good fit for the needs of your organization. So what exactly is an Intrusion Detection System (IDS)? Simply put, an IDS can be either a hardware device or software application that monitors network traffic, incoming and outbound, for any malicious activity or security policy violation. Think of it as an intruder alarm, sounding an alert if it spots any activity that could lead to network and data compromise. It does this by inspecting the packets that flow across the network in order to detect known indicators of compromise and traffic patterns that suggest suspicious activity. In other words, an IDS is a passive system used to bring real-time visibility into potential network compromises.

How the IDS achieves this will depend on the type of system being deployed. They can be either network based, or host based. Network-based Intrusion Detection Systems (NIDS) will have sensors strategically placed within the network itself, sometimes at multiple locations, to monitor the most traffic without creating performance bottlenecks. Host-based Intrusion Detection Systems (HIDS) do things differently, and are run on specific hosts or devices, only monitoring the traffic associated with them. Either type can take different approaches to detecting suspicious traffic. Some might use signature detection, comparing packets against a database of known threats. Some might use an anomaly-based approach, comparing traffic patterns against an established network “normality” baseline. Some will combine both methods. All are known for generating false positives, at least initially. The IDS will need configuration to fine-tune it for the particular “norms” of your network and the devices attached to it.

Intrusion Prevention System

An Intrusion Prevention System (IPS) is like an IDS on steroids. Not only can it detect the same kind of malicious activity and policy violation that an IDS does, but as the name suggests it can execute a real-time response to stop an immediate threat to your network. Like an IDS, the IPS can be NIPS-based with sensors at various points of the network or HIPS-based with sensors on the host to monitor individual devices. Unlike the IDS, an IPS has the ability to configure policy-based rules and actions to be executed when any anomaly is detected. Think of it as being an active defense system, tailored to best suit your business needs in terms of security posture. 

Although often considered a firewall, this is an erroneous assumption about an IPS. If anything, an IPS is a firewall in reverse: The firewall applies a rule-set to allow traffic to flow; an IPS applies a rule-set to deny and drop traffic. That said, there are Unified Threat Management (UTM) devices, which do both and therefore act as firewall and IPS simultaneously. These might appear to offer the best of both worlds, in that they can actively allow “good” traffic while also blocking known “bad” traffic.  However, UTMs can be hard to manage optimally, and tend not to enable the same granularity of control over IPS protections as a stand-alone IPS can offer.

Which do you need?

Now you know the differences between an IDS and IPS, which does your organization need as part of its network security implementation? Truth be told, the stand-alone IDS has pretty much been replaced by the IPS as far as the IT security industry is concerned. That's not to say intrusion detection is a busted flush, but rather that detection has to be accompanied by prevention technologies in today’s increasingly frantic threat climate. For most organizations, the notion of administering an IDS as a separate solution alongside other reactive solutions makes little sense. What makes more sense is to adopt a layered approach to detection and prevention while working with a managed service provider (MSP) able to make better sense of the complexities of the security function and respond to alerts more effectively.

About PSIM

What is PSIM?

PSIM stands for Physical Security Information Management, however it certainly requires further explanation about why it is important. Firstly, the future of all security systems is IP based, this means that CCTV, Access Control, Intruder and Fire Alarms will be computer based. Analogue and standalone systems are becoming more redundant and technology is moving rapidly towards converging all these IP based systems onto a single software management platform.

Assuming your security systems are IP based, then PSIM software packages will make an incredible difference to way you secure your school, business or public sector space. This means facility or building management staff can centralise all systems onto a single platform and remotely manage the building.

The key attributes of a PSIM system are:

1. Collection: Device management independent software collects data from any number of disparate security devices or systems

2. Analysis: The system analyses and correlates the data, events, and alarms, to identify the real situations and their priority

3. Verification: PSIM software presents the relevant situation information in a quick and easily-digestible format for an operator to verify the situation

4. Resolution: The system provides Standard Operating Procedures (SOPs), step-by-step instructions based on best practices and an organisation’s policies, and tools to resolve the situation

5. Reporting: The PSIM software tracks all the information and steps for compliance reporting, training and potentially, in-depth investigative analysis

6. Audit trail: The PSIM also monitors how each operator interacts with the system, tracks any manual changes to security systems and calculates reaction times for each event

PSIM is considered essential for Control Rooms or Command and Control Operations, as the software, provided all the systems are IP based, converge all the disparate systems onto a single platform to provide full management. Common security systems integrated onto a PSIM platform are:

- IP Access control systems

- IP CCTV systems

- Fire detection

- Video wall

- Intrusion detection systems

- Perimeter Intrusion detection systems

- Radar based detections

- GIS mapping systems

- Intercom or IP Phone systems

- Automated barriers & bollards

- Building management systems

The aggregated data, information and footage from the various systems provides the operator with intelligence to effectively manage situations (i.e fires, intruders etc) or day to day management of the building (i.e remote door locking etc). Ultimately, this means the need for large teams of facility staff can be reduce and the building managed centrally by key operators. A key reason for the development of PSIM has been the technology improvements of the systems listed above, which has meant software developers have been able to integrate and converge these systems onto single platforms. Technology in security systems is improving dramatically, prices are falling for systems and the software required to manage them is now available. It really makes sense to move forward and use PSIM to its full potential, let Sunstone help you embrace the future.