oamal2001
asked on
Features of IPS
Dear ALL,
I need to know what are the full features and benifits of a network IPS device,whend do I need it on my network,what are the best IPS brands,what is the differnce between IPS and IDS and what are the diffrences between software IPS and hardware IPS.
Thanks,
I need to know what are the full features and benifits of a network IPS device,whend do I need it on my network,what are the best IPS brands,what is the differnce between IPS and IDS and what are the diffrences between software IPS and hardware IPS.
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well there are multiple types of IDS's, but based on your comment, I'm assuming you mean Network-based IDS and IPS.
IDS's and IPS's are nearly identical. In fact, most IDS's will act as IPS's in a lot of cases (snort can be compiled in inline-mode to accomplish this task when you have a Linux/iptables based firewall).
The main idea is that an IPS is an IDS with a ruleset (and ability) to block what it considers malicious traffic. So if the IDS segment of the IPS detects an alert, the IPS either drops the connection directly (when the IPS is inline with your network connection to the outside world) or signals your firewall to drop it.
But either way, an IDS is very similar to an anti-virus in how it functions, in that its rule based. There are basically long, complex regular expressions (or similar) that sniff incoming and outgoing traffic for patterns defined by rule-writers (like anti-virus signatures).
There are also heuristic IDS's as well that work to more or less of a degree.
Personally my favorite IDS/IPS is Snort. It's open source, very well understood, and (with the VRT certified ruleset) is backed up by the best malware research group in the world (Sourcefire VRT). You can also buy Sourcefire's 3D sensors which are basically Snort sensors on steroids.
The ActiveScout also makes a good heuristic sensor from what I hear but they're very complicated and expensive too.
IDS's and IPS's are nearly identical. In fact, most IDS's will act as IPS's in a lot of cases (snort can be compiled in inline-mode to accomplish this task when you have a Linux/iptables based firewall).
The main idea is that an IPS is an IDS with a ruleset (and ability) to block what it considers malicious traffic. So if the IDS segment of the IPS detects an alert, the IPS either drops the connection directly (when the IPS is inline with your network connection to the outside world) or signals your firewall to drop it.
But either way, an IDS is very similar to an anti-virus in how it functions, in that its rule based. There are basically long, complex regular expressions (or similar) that sniff incoming and outgoing traffic for patterns defined by rule-writers (like anti-virus signatures).
There are also heuristic IDS's as well that work to more or less of a degree.
Personally my favorite IDS/IPS is Snort. It's open source, very well understood, and (with the VRT certified ruleset) is backed up by the best malware research group in the world (Sourcefire VRT). You can also buy Sourcefire's 3D sensors which are basically Snort sensors on steroids.
The ActiveScout also makes a good heuristic sensor from what I hear but they're very complicated and expensive too.
ASKER
Thanks for all very much.
Some of the vendors are Juniper, Cisco, Enterasys.
The difference between IPS and IDS is the IDS will detect threats while the IPS will take it step further and block the attacks as well.
The hardware versions are specific platforms made for this one function while software versions would be made to run on a generic PC or server platform.