Internal IDS/IPS

Flow-based IDS/IPS for the Internal Network

While many organizations rely on IDS/IPS technologies to detect and block attacks, it is important to note that these systems can only go so far in protecting enterprise networks. First off, they are designed to be deployed at the perimeter of the network, and are cost-prohibitive and complex when it comes to internal deployments. Unfortunately, amidst today’s threat landscape, perimeter security is no longer enough, as many attacks are either bypassing the perimeter or surfacing from within. Flow collection and analysis technologies like Lancope's StealthWatch provide visibility across the entirety of the network, both internal and external, eliminating dangerous network blind spots left by IDS/IPS and other perimeter-based technologies.

Secondly, IDS/IPS systems rely on canned signatures to detect attacks, often allowing APTs and other zero-day attacks for which no signatures exist to invade the network. Monitoring for anomalous behaviors rather than specific types of attacks, StealthWatch provides better protection even in areas of the network already covered by IDS/IPS. StealthWatch also goes above and beyond the capabilities of IDS/IPS to support network performance, compliance initiatives and forensic investigations.

Security administrators should consider augmenting IDS/IPS deployments with a “defense in depth” model that involves the use of flow-based anomaly detection and network performance monitoring to harness the power of flow data.

Classic IDS/IPS technology Flow-based Monitoring withStealthWatch
Database signatures detect known attacks Real-time monitoring of host behaviors and traffic analysis to identify threats
Per-packet, inline blocking of attacks Mitigation via network infrastructure or integration with inline devices
Cost prohibitive at speeds above 1G Unlimited monitoring of high speed networks at no extra cost
Minimal forensics value Archived audit trail of network IP communications
Little to no network performance tools for identifying DoS, worm outbreaks Extensive network performance reports including top talkers, interface utilization, exporter tracking, etc.
No identity integration User-identity aware
Limited visibility per direct network connection End-to-end network visibility, combining internal and external monitoring



Customer Evidence verified by TechValidate.