Wednesday, March 26, 2014

IPS/IDS Brief Explanation

Another summary I did for management:

IPS (Intrusion Prevention System) and IDS (Intrustion Detection System) both use technology that watches internet traffic and looks for attacks or intrusions using signatures and does some action based on any signatures the traffic matches. An IPS has the ability to block traffic that it considers suspicious, while an IDS only has traffic mirrored to it and cannot prevent any traffic from reaching it's destination.

A good analogy for IDS/IPS is a spam email detector. The spam detector looks at your email before you receive it and looks for patterns or words that usually mean the email is a spam message (I'll let you infer common spam email subjects here). If it sees one it is confident is spam, it puts it in your spam folder and doesn't tell you. If it sees a message that could be spam, but could also be legitimate email (your friend offering to sell you a car) it might mark it as potential spam, but still deliver it to your inbox).

For the IDS/IPS technology the signatures are looking at packets and protocols instead of words (Not sure what your familiarity is with internet and network protocols, let me know if you have questions there). Some good examples of things IPS looks for can be found in the IPS Weekly Reporting (one is here for reference).

Threats on the internet are changing constantly, so whenever the IPS vendor releases a new version of their signatures we download and apply it. This allows our IPS, which is older, to look for threats that have only been released very recently, similar to how a virus scanner can find new viruses.