Intrusion Detection/Prevention Systems
The Importance of Intrusion Detection and Prevention Systems
Signature-based Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can detect known attacks against servers – and are especially useful in protecting known attacks before the servers can be patched. Behavior-based Intrusion Prevention Systems can sometimes prevent behavior-based 0-day attacks.
Limitations of IDS/IPS Systems
Signature-based Intrusion Detection Systems cannot detect 0-day attacks. Both IDS and IPS produce a number of false positives. False positives on IPS mean users cannot get to their data or application. IDS and IDP devices both require a good deal of tuning.
Vidder's IDS/IPS Recommendations
Because an IDS is potentially capable of catching internal port scans and other activities that warrant investigation, Vidder recommends that an IDS be placed just inside the Internet firewall to monitor all traffic entering and leaving the network. Vidder also recommends placing an IPS just outside the datacenter firewall to block known attacks while waiting for patches to permanently mitigate the known attack. However, as more and more connections become encrypted end-to-end, the value of IDS/IPS systems will diminish.