Good security practices help protect your network against attacks by intruders, malicious applications, and a host of other threats. Part of a successful security plan is having the right products in your arsenal—a simple firewall and antivirus product won’t suffice. To fully protect your network, you need intrusion detection and prevention coverage. Intrusion detection systems (IDSs) monitor for open ports on your network to detect security vulnerabilities that leave your systems open to attack. Intrusion prevention systems (IPSs) go even further, actually preventing attacks from occurring.
A multitude of IDS and IPS products exist, ranging from software and services to appliances. For this Buyer’s Guide, we focus on IDS and IPS software and services. In addition, many solutions are free—which we highlight in the accompanying table.
To determine which product is right for your environment, consider the following aspects of intrusion detection and prevention. Then, consult the Buyer’s Guide table for an overview of products.
Methods of intrusion detection vary widely. The most common type of intrusion detection is the rule-based (or signature-based) method. This type of detection compares an attack signature to network traffic to identify potential threats. Other intrusion detection methods include network behavior analysis, event log monitoring and reporting, database auditing, baseline snapshot comparison, pattern recognition, and heuristic analysis.
User Input and Configuration
In choosing an IDS/IPS, you might want to consider how much user input is required (or even possible). For example, does the program run unattended, or does it require user input? Are scans customizable—that is, do they adhere to a predefined policy, or can you apply user-created rules? You should also take into account how often the program is updated, and whether updates are automatic or user-scheduled. Update frequency can range from yearly to hourly, or even as needed in real time. Finally, do scans occur continuously, or only during scheduled times? Although for ease of use you might prefer an IDS/IPS product that runs out-of-the-box, for the best security protection you might want to be able to fine-tune the program to suit your environment and specific needs.
Management and Reporting
Even if you have the best IDS/IPS product imaginable, it’s useless if you can’t easily retrieve the information it gathers. Consider whether the program you’re looking at offers centralized management, preferably through an easy-to-use console that provides configuration, monitoring, and reporting. Another criterion to evaluate is the product’s reporting capabilities. For example, are reports canned or customizable? Also, how are reports provided (e.g., HTML, PDF, email)?
If your organization uses virtualization, as so many companies do these days, you need to determine whether the product you’re considering supports and can run in a virtualized environment. Can the program run on a virtual machine (VM)? Can it scan VMs? And does it work with all virtualization platforms, or only one?
Go Forth and Detect
Evaluating all the aspects of intrusion detection and prevention will help you find the best product for your environment. Once you have an IDS/IPS up and running, you can sleep easier knowing your systems are safe from attack—or at least safer than they were without it.