Cisco Logo


Security

This is the third post in a series that focuses on a view from the trenches. In this post I will examine inline and passive intrusion prevention/detection installations. Although the industry trend is that the automation aspects of inline IPS make it more useful, does that mean that passive intrusion detection as a technology is obsolete? While the benefits of inline IPS are easy to see, I want to point out a few situations where it may still be useful to use passive intrusion detection.

There is a debate today on the value of IDS/IPS and whether IDS has to be inline to be valuable. (See my previous posts for more background on the merits of IPS.) At first, all intrusion detection was passive, looking for attack signatures on the wire. Of course predictively analyzing and detecting all attacks has an inherent conflict: if we can predict it enough to analyze it with a high degree of fidelity, we could just prevent it. This set the stage for an inline preventative IDS (IPS). The intrusion detection market has been progressively moving in this direction. One of the business influences leading to that trend could be described as follows:

A company has a small security team, they purchase and deploy IDS for $1000 and get many alerts; their security posture remains static. The company purchases SIM for $1000 to help manage alerts and their security posture remains static. The company then hires more people to tune, manage, and respond to their IDS deployment and, a year or two down the road and $100,000 later, they start to identify and reduce issues.

In today’s fast-changing world, the return on investment (ROI) is hard to justify and is a long time coming. Switch to IPS and that same small security team buys and deploy something inline for $1000 and their security posture starts to improve immediately. Is IDS dead? Is IPS the only way to go? Read on to find out.

I meet with security teams all over the world and most have some form of intrusion detection deployed. Generally, there are some major, big buckets of intrusion detection deployment/implementation types:

I wish all teams were closer to Type 3, but I often find that they are closer to Type 1. Many teams deploy intrusion detection as a checkbox for compliance rather than deploying it with a real interest in using on-the-wire detection to protect the network. This can be related to ROI issues and the setup time mentioned earlier in this post. IPS is often considered the quick fix, but what are you missing if you go that route? Why doesn’t everyone go inline and leave their old passive IDS forever? Here are a few reasons that could make the difference:

So does this mean IPS is useless? No, not at all. There are some very good deployment scenarios. For example, IPS can be very effective if you are joining two areas with very different security postures, especially if one area has problems with malware that you may not be able to completely fix, possibly from a lab to a production network. For example, at Cisco we are trying IPS between our remote access network and our internal network. The below is a network diagram on a functional setup for IPS.

This allows remote users to have more freedom while not hurting our corporate network. The details in this post highlight the argument that IPS/IDS doesn’t have to be mutually exclusive. It really is what solution fixes your security problems and the answer could be both. At Cisco, we will continue to have a huge investment in passive IDS for network intelligence gathering, while using IPS to block some very unequal security posture junctions. Using IDS, we have enabled the business to move quickly into new opportunities with the ability to tell if things get out of hand. The main decision-making factor with IDS/IPS should be choosing the direction that solves the types of security problems that are facing the network.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

3 Comments.


  1. Hi Gavin, Thanks for a well written, nicely explained article. I have been a security specialist for a little over 12 years now and the changes that have happened over that time frame are unreal.I often have clients very confused about the differences and benefits of IDS vs. IPS, and often spend hours explaining the pros and cons of each. You have certainly highlighted the key areas in a very easy to follow method, and I think I’ll be sending more of my clients to this post.Thanks againJay

       0 likes

  2. Less complexity appears complex!

       0 likes

  3. Thanks Gavin for the information. I understood some of these concepts but you helped bridge the gaps for me with this article.Sincerely,Melissa

       0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home