Uncle Sam likes his networks buttoned down, which means firewalls just won't cut it. True, the newer firewalls include limited IDS (intrusion detection system) or IDP (intrusion detection and prevention) functionality up to layer 4, and significant protection can be gained by moving up the stack to layer 7. But for a more iron-clad approach, a dedicated IDS or IDP solution generally fares better.
But which direction should you take? The debate over the viability of IDS vs. IDP continues to rage. The truth is they are dissimilar tools. The basic differences are obvious. IDS watches data streams; IDP interferes with data streams. Most IDP solutions can function in passive mode and perform the functions of an IDS unit. IDS solutions are not able to perform IDP functions, but some can be configured to work with firewalls to block detected attacks. But this functionality isn’t really comparable to IDP. The filtering is limited to the capabilities of the firewall, which is likely to filter only at layer 4 -- something like using a sledgehammer to crack an egg.
Yet despite the greater functionality offered by IDP systems, the question of which solution is appropriate has no simple answer. The implementation of either solution can produce limited returns if the technology isn’t implemented correctly or maintained well. In the case of IDS, this can mean that attacks aren’t visible to admins and data leakage can occur, essentially providing no benefit whatsoever. Worse still, a poorly implemented or maintained IDP solution can adversely affect network operations, since it is placed inline on the edge network.
Indeed, for many networks, a combination of IDS and IDP may be the best solution. An IDP solution at the point of egress can provide layer 7 protection for data streams flowing to and from the Internet, while IDS solutions monitor various internal points on the network and the network core to detect anomalies and potential threats present in internal traffic. This two-for method can provide substantial insight and adequate protection without breaking the budget.
If you need to stay constantly aware of the ingress and egress traffic at the edges of a network, either IDS or IDP can provide the detail you want. But if you want to be able to implement file-grained filters on that traffic, in addition to providing notifications and alarms, then IDP is the way to go. The filtration capabilities of many IDP solutions eclipses basic virus and worm blocking and can provide substantial data leakage protection by filtering keywords in data streams across multiple protocols.
To make the right call, you'll need an intimate knowledge of the network and its core functionality. Conduct a network audit before implementing or purchasing any security solution to ensure its viability. And remember, network security is a journey, not a destination, and the IDS/IDP decision is but one stop along the way.