Flow-based IDS/IPS for the Internal Network
While many organizations rely on IDS/IPS technologies to detect and block attacks, it is important to note that these systems can only go so far in protecting enterprise networks. First off, they are designed to be deployed at the perimeter of the network, and are cost-prohibitive and complex when it comes to internal deployments. Unfortunately, amidst today’s threat landscape, perimeter security is no longer enough, as many attacks are either bypassing the perimeter or surfacing from within. Flow collection and analysis technologies like Lancope's StealthWatch provide visibility across the entirety of the network, both internal and external, eliminating dangerous network blind spots left by IDS/IPS and other perimeter-based technologies.
Secondly, IDS/IPS systems rely on canned signatures to detect attacks, often allowing APTs and other zero-day attacks for which no signatures exist to invade the network. Monitoring for anomalous behaviors rather than specific types of attacks, StealthWatch provides better protection even in areas of the network already covered by IDS/IPS. StealthWatch also goes above and beyond the capabilities of IDS/IPS to support network performance, compliance initiatives and forensic investigations.
Security administrators should consider augmenting IDS/IPS deployments with a “defense in depth” model that involves the use of flow-based anomaly detection and network performance monitoring to harness the power of flow data.
|Classic IDS/IPS technology||Flow-based Monitoring withStealthWatch|
|Database signatures detect known attacks||Real-time monitoring of host behaviors and traffic analysis to identify threats|
|Per-packet, inline blocking of attacks||Mitigation via network infrastructure or integration with inline devices|
|Cost prohibitive at speeds above 1G||Unlimited monitoring of high speed networks at no extra cost|
|Minimal forensics value||Archived audit trail of network IP communications|
|Little to no network performance tools for identifying DoS, worm outbreaks||Extensive network performance reports including top talkers, interface utilization, exporter tracking, etc.|
|No identity integration||User-identity aware|
|Limited visibility per direct network connection||End-to-end network visibility, combining internal and external monitoring|