Intrusion detection and prevention systems (IDPS)
Detecting and preventing network intrusions used to be the bread and butter of IT security. But over the past few years, analysts and defenders have seen a slow but steady transition from these products. They have become a component of a broader spectrum of network defensive tools, such as security information and event management (SIEM) systems, security orchestration and response (SOAR) and endpoint and network management and detection systems.
We examine the top six tools, explain the different approaches and form factors used, and compare how intrusion prevention fits into the overall security marketplace.
What is an intrusion detection system (IDS)
An intrusion detection system (IDS) is a longtime staple of IT security; it’s a software application or physical appliance that monitors network connections, hosts, or both for signs that an intruder has broken into your IT infrastructure. They produce alerts that may or may not be helpful or actionable for SOC analysts to understand the attack path. In the past they were relatively simple products, but the detection market has gotten more sophisticated and more comprehensive to match the increasing complexity of threat actors.
What is an intrusion prevention system (IPS)
An intrusion prevention system (IPS) takes the IDS a step further and tries to stop malware from spreading or activating an attack. IPS are designed to look for signatures, such as malformed packets, particular source IP addresses, or account credential misuse. These scans now use a variety of automated methods and machine learning models. They are also not as accurate with novel attacks that don’t have previous signatures or behavioral patterns, or those attacks that are heavily encrypted to hide their activities. Many such tools integrate the capability to not only detect such attacks but automatically fight back against them.
Like IDS, the IPS market can include both hardware appliances as well as different kinds of software tools and use both agent and non-agent approaches and both open source and commercial tools.
IDS/IPS has long been seen as making up a distinct market, although the category has evolved into more of a feature of other and more comprehensive security tools. For example, both Cisco and Check Point Software include their IPS protection as part of their firewall appliances. Palo Alto Networks includes IPS features in its Advanced Threat Protection package in a variety of its protective products, and Vectra.ai has its AI platform that combines a collection of managed network and endpoint protection tools which include IPS as one feature.
IPS vs IDS: How IPS differs from IDS
The prime focus of an IDS is in identifying threats and sending out alerts when they are detected. It is mainly a passive system. They are useful to monitor real-time control systems, for example, that need to run continuously and with high availability. An IPS takes this a step further and takes measures, some proactive and some in near real time, to prevent and stop these threats from harming the network and computing infrastructure. This quick action can also limit the spread of malware across a network and prevent data leaks from happening.
Why do you need IDS and IPS
Both IDS and IPS function as an early warning system of a potential attack or compromise in some part of an IT infrastructure. They can pinpoint what has been breached and how it happened, and help an enterprise get a faster start on repelling and remediating the attack.
Types of IPS
There are five different types of IPS products.
- Network based intrusion prevention systems (NIPS) are focused on the network itself, and either through a purpose-built piece of hardware or software is placed inline — typically right behind a network firewall — to monitor traffic for potential threats and prevent them from happening by either blocking the offending traffic or dropping the identified packets. It compares traffic with known threat signatures. Historically, they were used to defend critical network infrastructure, such as firewalls and servers, from malicious internal users.
- Network behavior analysis (NBA) takes NIPS a step further and analyzes behavior and traffic patterns to spot malware and potential threats. This is useful to find and stop zero-day vulnerabilities that may not have any identified or previous network signature.
- Host intrusion prevention systems (HIPS), sometimes called host-based firewalls, are typically installed at each endpoint computer to inspect traffic coming and going from that system and monitor the processes running on that particular machine. Most modern operating systems such as Linux, Windows, and macOS now come with this feature built into the OS.
- Wireless intrusion prevention systems (WIPS) extends NIPS to examine Wi-Fi networks and add the ability to remove any unauthorized devices that have connected to the network.
- Cloud versus on-premises scope. Cloud-based IDS are typically part of larger security solutions that take advantage of cloud providers’ virtual network access to their infrastructure. On-premises IDS are typically based on hardware appliances that mirror network traffic. Some vendors combine both approaches in their products.
How IPS/IDS differ from NDR/EDR/XDR/MDR/ADR
IPS and IDS were created back in the era where threats were easier to detect, when cloud computing and internet applications were in their infancy, and when most applications ran on-premises. But today threats have gotten more complex: they are designed with custom signatures for each target and often have multiple layers of encryption using multiple methods — such as polymorphic or ever-changing mechanisms — to avoid detection.
To keep pace with this increase in complexity, security vendors have created new incident and protection products that go under a variety of acronyms, including network detection and response (NDR), endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (a SaaS-based subscription service or MDR), and application detection and response (ADR), the latest in the series.
Gartner has taken a slightly different tack and labels for vendors’ network protection products “hybrid mesh firewalls” (Check Point, Palo Alto Networks, Fortinet and Juniper). The hybrid in this label refers to products that have a single management rubric for handling both on-premises and cloud environments. “The role and scope of network firewalls have moved beyond traditional use cases to more innovative use cases involving hybrid environments, hybrid workforces and hybrid teams,” their analysts Rajpreet Kaur and Adam Hils wrote in a report from January 2024. IPS is just one of numerous other network protection strategies employed by these tools.
These labels are not mutually exclusive and mostly self-explanatory, focusing on different parts of an organization’s computing infrastructure. Each of these tools use some form of automation to scan and process network traffic and then mitigate alerts and threats. Typically, they combine SIEM and SOAR approaches to provide more network visibility and analytical depth and event correlation to determine what caused a breach and what is required to prevent it in the future.
The detection and response tools were all built to reduce false positive alerts from the IDS products, since they add forensic evidence to the IDS signature matching and simplistic traffic scans. Some of them have begun to deploy generative AI models to piece together how an incident entered a network and infected various systems, reconstructing the situation and providing more context for security analysts to fight off the exploit.
The NDR/MDR family of tools are also useful for predicting future attacks as well as attacks that deliberately stage themselves over longer time periods. These tools have become more favored since they can catch malicious traffic that has never been detected and before rules or signatures can be established. This means that traditional IDS/IPS will have trouble identifying more complex threats, such as with Log4j or Sunburst attacks.
Leading open-source IDS/IPS tools
Many of the commercial IDS/IPS vendors start with one or more of the following open-source tools and add functionality and their own custom algorithms. The four most popular open-source projects include:
- SNORT.org, one of the earliest intrusion prevention projects, was developed by the Sourcefire team as one of the original network analysis tools — the group was eventually acquired and is now maintained by Cisco. It is so well established that many threat intel vendors publish Snort rules to block new vulnerabilities, and Cisco offers education classes. It comes in two subscription levels starting at $30 or $400 per year, with another version for software developers to integrate into their applications.
- Suricata.io is used for threat detection and network analysis and offers training classes. The project is run through the Open Information Security Foundation, which offers a variety of training, including its own user conference.
- OSSEC.net is a host-based IDS and log monitoring tool, maintained by AtomiCorp.org which also sells paid enterprise versions.
- Zeek.org is an open-source network monitoring tool that some vendors incorporate into their commercial IDS/IPS offerings. It was originally developed by Lawrence Berkeley Lab in the 1990s as an IDS and is maintained by Corelight and incorporated into their commercial product.
Leading commercial IDS/IPS vendors
Check Point IPS has long been a staple of the company’s firewall line, which now includes Quantum Force hardware and CloudGuard software. Their goal is to have a single management product that works across on-premises and cloud infrastructure, and cover three metrics: severity of the vulnerability, confidence level of its protection ability and the impact on the firewall’s performance.
Cisco Secure IPS now uses machine learning to counteract attacks. It extends Snort signatures and handles unknown and encrypted threats. It comes in on-premises, virtual appliance and cloud versions, along with various hardware appliances.
Corelight IDS is built on top of Zeek (and is the project’s corporate maintainer), adding enterprise support; and Suricata. It adds a wide collection of network protection including automated detection, investigation routines, and log analysis tools. It comes as a virtual machine or a hardware appliance.
Trellix has combined its IPS from previous FireEye and McAfee acquisitions, and now it is a feature of both NDR and XDR product lines. They view IPS as a steppingstone to these more comprehensive tools, which have a variety of hardware and subscription software options.
Trend Micro has acquired TippingPoint IPS and sells it both as a standalone product as well as integrated into their central platform called Vision One. It is available as a virtual machine, a variety of hardware appliances or as a cloud subscription for protecting AWS workloads.
ZScaler Cloud IPS. ZScaler has its own research team that continually adds new threat signatures and protection rules. It supports Snort rule syntax, extending them to work for both web and non-web threats. It comes as a managed SaaS service, and its features are included in the company’s Advanced Zero Trust Firewall and Zero Trust Exchange products.
Other vendors include Fortinet, Juniper, Hillstone Networks, and Fidelis Security who either declined to provide any information or didn’t respond to CSO queries.
Pricing IPS/IDS
Getting precise pricing information will be difficult because the price depends on many different factors: whether a hardware appliance is required and then sized to the appropriate level of network throughput; whether a separate software subscription is needed; and how the IPS/IDS is packaged with other security tools. For larger networks, expect to pay at least five figures annually for the more comprehensive products.