An intrusion detection system (IDS) can be a standalone device or, as is often the case, can exist in the form of additional functionality within a firewall. The main purpose of an IDS is to monitor network traffic and/or compare file hashes. If something is deemed suspicious, the IDS will alert on that traffic. This brings up the primary “weakness” of an IDS: it will alert about suspicious traffic, but an IDS traditionally will not actively act to prevent the threat. Acting to prevent traffic falls under the definition of an intrusion prevention system (IPS).
Another weakness of IDSs is their difficulty to “tune” or customize according to the unique traffic patterns of your network. Invariably, a newly placed IDS will alert unnecessarily on suspect traffic that turns out to be benign. In short, there is a strong tendency to alert on false positives. Similarly, some malicious traffic, positively identified by well-tuned countermeasures, will be missed by the IDS. In that case, the IDS must be adjusted or updated to avoid further false negatives.
IDSs help reduce the blocking of traffic and port access as false positive by efficiently detecting abnormal or undesirable events on the network. As mentioned earlier, Intrusion Detection System (IDS) functionality is often built into NGFWs, likely labeled as a module. In the scope of secure network components, the relevant concern is how the IDS and fire- wall might interoperate. The integrated device might additionally provide extensive logging, auditing, and monitoring capabilities. When the abnormal or undesirable traffic is detected, the IDS might then perform a few actions. First, it would alert security personnel. Also, the IDS might put a temporary firewall rule in place.
NOTE Some view false positives as an indicator that should be reduced. That is not always true. Ignoring false positives can result in missing indicators of compromise. Tuning devices to reduce false positives also creates a false sense of security, as rules are relaxed to reduce alerts. In contrast, overly strict rules increase administrative burden as security professionals investigate too many false alarms. Security professionals have to work toward a cost-effective and secure balance based on risk.
Related to IDSs are IPSs. Most consider the distinctions between these systems relatively minor. IPSs are basically extensions of the IDS. Based on the rules in the IDS filter, the IDS monitors the traffic and alerts when the rules are broken. An IPS provides a similar monitoring function but is designed to actually deny access when unwanted or abnormal traffic is detected. A distinction between a firewall and an IPS, which both deny traffic, is that firewalls do not have an ability to interrogate the data packets to identify an attack, but IPS (and IDS) does. Realistically, today’s IDS/IPS functionality is almost always part of an integrated device, with fewer commercial products operating exclusively as an IDS or IPS.
