Firewall: IPS/IDS

Next Generation Firewalls (NGFW) or Unified Threat Management (UTM) devices often include an Intrusion Prevention System (IPS) and/or an Intrusion Detection System (IDS). Two popular open source IPS/IDS systems are Snort and Suricata.

Intrusion Prevention Systems

Intrusion Prevention Systems detect patterns in data and compare them to known criteria in order to determine if the data pattern represents a threat. Once it detects that threat it takes action. Based on how the IDS is configured it will usually log and block the source of the threat. Intrusion Prevention Systems are designed to block and log traffic. This distinction between IPS and IDS is important.

Typically a IPS system will be in-line. What that means is this system will either be on a NGFW or UTM, or placed between the NGFW/UTM and the protected network. Decisions made by the IPS must effectively allow or block traffic and therefore it needs to be placed in the path of the traffic.

Intrusion Detection Systems

Intrusion Detection Systems are similar to Intrusion Prevention Systems, except that logging and notifications are usually configured, but the action of blocking is not. An administrator that sets up an Intrusion Detection System does not have the goal of prevention, but rather auditing and reporting. During the IPS configuration and setup process the IPS will often be put in detection only mode. The administrator can use this mode to test their system configuration before switching it to IPS and blocking traffic.

Intrusion detection systems are often set up on a system connected to a mirrored port on a switch. This allows the administrator to use the Intrusion Detection system to log and capture traffic without actually making decisions on the traffic.

Check out more of our How-To’s for additional great tips like this one.

Leave a Reply