As business technology moves towards service-orientated environments and hosted applications, so the demands made on security systems are changing. Industry solutions are seeing a move away from the traditional intrusion detection systems (IDS) towards intrusion prevention systems (IPS). YOUR AVERAGE business IT environment is rapidly changing. A move away from the distributed computing approach to that of hosted applications and service orientated architecture (SOA) means new challenges to security.

Intrusion detection systems (IDS) were the network watchdogs of choice in the past, but their reactive approach of network monitoring and reporting is being replaced by the new breed of intrusion prevention system (IPS), that not only sniffs the perimeters and barks at intruders, but automatically attacks them too.

A THING OF THE PAST?

IDS systems focus on gathering and analysing information within the computing environment and identifying possible security threats and breaches. These include attacks from outside and misuse from within the organisation.

The key to this approach is vulnerability assessment, also referred to as `scanning`, which includes monitoring user and system activities, assessing system integrity, analysing system configurations and identifying possible areas of concern.

Says Gary Boniface, professional services manager for 3com, "IDS relies on signatures in identifying threats on the network. These solutions sit on the sideline and analyse the traffic sent their way. When a specific pattern matches one of the signatures they`re looking for, it triggers an alert which is sent through to the system administrator."

This is not a foolproof approach though, and analysing threats often becomes a hit-and-miss game. "IDS solutions often report on false positives," explains Boniface. "And this leads to complacency."

It is also a high-maintenance approach, as once a threat has been identified, it is up to the administrator to react. Boniface says attempts were made in the past to add some sort of automation to the reaction process once a threat had been identified by the IDS.

This idea never enjoyed much success. "It took a lot of work to get an IDS solution from one vendor successfully integrating with a firewall from another," he explains.

This kind of thinking did, however, give birth to the concept of IPS.

That `prevention is better than cure` is not rocket science and IDS clearly wasn`t cutting the cheese. It was inevitable that a more proactive solution took the place of network watchdog,

IPS identifies potential threats and responds to them swiftly. Like IDS, an IPS system also monitors network traffic, but in addition has the ability to take immediate action, based on a set on rules established by the network administrator.

"Another big difference between IDS and IPS," adds Boniface, "is that while IDS solutions are sideline and traffic is sent their way for analysis, IPS solutions are inline. Prevention systems sit invisibly on the network, and do not have network addresses. They seamlessly and quietly analyse all the traffic flowing through them on the network. We refer to them as a `bump in the wire`."

This adds an extra layer of security, as attackers are not able to target the IPS directly in attempts to hack or bypass them.

This is one example of the actions an IPS could take; a flow of data that is seen as malicious is dropped and all further traffic from the originating IP address or port is blocked, while legitimate traffic continues to be forwarded without interruption.

THE COST OF PROGRESS

Another difference between IDS and IPS is the cost involved. "IPS solutions must be able to monitor traffic and take action without disrupting or slowing down the speed of the network," explains Boniface.

"This requires more processing power, both in terms of functioning without being a hindrance and in terms of how IPS solutions identify threats," he adds.

The signature-based approach of IDS has also made way for a more logic-driven approach in IPS. "IDS solutions would make use of a very rigid yes/no way of analysing threats," explains Boniface. "They would match traffic to a signature and label threats purely on matches at this level. IPS, on the other hand, use a logic-flow and a set of rules determined by the administrator to identify threats. Traffic is analysed on several points, such as origin, tion, kind of traffic etc. and then classified.

The actions taken when a threat is identified depend on the kind of threat and could range from a simple notification of the possible threat right through to a port-shutdown."

This all makes IPS a more expensive solution than IDS and also means that IDS still has a place in the market for smaller enterprises which cannot afford top-of-the line IPS solutions, or who can only afford IPS on the sideline of their network and require something else internally.