INTRUSION PREVENTION SYSTEM
Intrusion Prevention System (IPS) technologies fulfill a valuable role at certain strategic locations at the network’s edge. However, for the remainder of the network — high speed, port dense distribution and core areas, administrators should consider a “defense in depth” model that involves the use of flow-based Network Behavior Analysis (NBA) and response systems.
IPS technologies are well-suited for filtering well-known, well-defined attacks at the perimeter yet very costly and challenging to deploy in high speed switched core or distributed WAN environments. Inline intrusion prevention systems use attack signatures and rudimentary protocol anomaly detection techniques to recognize and block “low hanging fruit” attacks such as well-known worms and older attack methodologies. Intrusion prevention technologies are often deployed at Internet facing locations where they act as a first line of active defense. However, they often lack advanced anomaly detection, policy, and forensics capabilities. Additionally, their inline nature limits the scope of their deployment to a relatively small subset of network systems and increases the cost of network-wide deployment to astronomical heights.
Designed for internal and distributed security and network monitoring, Lancope’s StealthWatch leverages NetFlow and sFlow from routers and switches as well as SPAN ports. They are “behavior-based”, no signature updates are required to detect attacks and anomalies.Classic IDS/IPS technology |
NBA technology |
Database signatures detect known attacks |
Real-time monitoring of host behaviors and traffic analysis to identify threats |
Per-packet, inline blocking of attacks |
Mitigation via network infrastructure or integration with inline devices |
Cost prohibitive at speeds above 1G |
Unlimited monitoring of high speed networks at no extra cost |
Minimal forensics value |
Archived audit trail of network IP communications |
Little to no network performance tools for identifying DoS, worm outbreaks |
Extensive network performance reports including top talkers, interface utilization, exporter tracking, etc. |
No identity integration |
User-identity aware |
Limited visibility per direct network connection |
End-to-end network visibility |
Commonly deployed technology |
Innovative technology deployed by early adopters |
NBA and Intrusion Prevention System technologies provide very little overlap with one another, each offering unique capabilities well suited for their stated goals. Combined with inline IPS at the network perimeter, the StealthWatch proves a formidable opponent to zero-day worms, policy related incidents, and other network anomalies that jeopardize network availability and data integrity.
To learn more about where inline IPS and IDS leave off, and where network behavior analysis & response technologies pick up, visit Lancope’s Download Center to read the White Paper: “Enterprise Network Security Does Not End with IPS” and learn why IPS technologies are insufficient for securing the internal network.
