IDS/IPS Considerations

Network security is an important consideration when working with enterprise security. Using an intrusion detection system (IDS) or an intrusion prevention system (IPS) can aid in detecting and blocking network attacks. A typical installation of an IDS/IPS system should include sensors to collect information, a management server, and a management console that can be used to view information (Longe Olumide, Lawal, & Ibitola, 2014). The placement of the sensors is a critical design step that needs upfront thought and consideration. The first thing to consider with sensor placement is to determine what the overall goal is for the IDS/IPS system (Longe Olumide et al., 2014).

In a traditional network environment, an IDS or IPS would be placed in-line with all egress points to the Internet (Longe Olumide et al., 2014). Besides connections to the Internet, direct links to partner organizations should also have an IDS/IPS sensor to monitor inbound and outbound traffic (Longe Olumide et al., 2014). Another consideration is remote employees that could be connecting into the enterprise from an unknown network. The point that remote employees come into the network should be treated as an unknown source, and the traffic should be monitored with an IDS/IPS sensor.

Moving beyond brick and mortar networks, many organizations now host systems within cloud environments (Sakr, Tawfeeq, & El-Sisi, 2019). Although there are multiple different ways to deploy an IDS/IPS system within a cloud environment, one common technique is to use a host-based IDS/IPS sensor (Sakr et al., 2019). Along with placing an IDS/IPS sensor at the connection to the Internet, a host-based sensor can help monitor traffic between each host. Much like a traditional network, it is important to monitor traffic in and out of sensitive systems. A cloud environment is commonly used for sensitive systems only, so having a sensor on each host would not be considered excessive.

Regardless of the environment is a more traditional layout or cloud-based, it will be essential to determine what technique will be used to detect attacks. Most IDS/IPS systems use signature-based or anomaly-based technologies to determine when an attack is taking place (Sakr et al., 2019). It is difficult to say if signature-based or anomaly-based systems are more effective at detecting attacks, which is why it is common to utilize both techniques in a hybrid-based approach (Sakr et al., 2019).

It is difficult to give a generic answer to how an IDS/IPS system should be set up in an organization without first understanding where the sensitive information is stored (Longe Olumide et al., 2014). It is safe to state that an IDS/IPS sensor should be placed on the Internet connection, connections between partners, and on the access, the point used by remote workers. It is also important to remember to consider an IDS/IPS system for cloud-based environments as well as the traditional networks within your organization.

References

Longe Olumide, B., Lawal, B., & Ibitola, A. (2014). Strategic Sensor Placement for Intrusion Detection in Network-Based IDS. International Journal of Intelligent Systems and Applications, 6(2), 61-68. doi:10.5815/ijisa.2014.02.08

Sakr, M. M., Tawfeeq, M. A., & El-Sisi, A. B. (2019). Network Intrusion Detection System based PSO-SVM for Cloud Computing. International Journal of Computer Network and Information Security, 10(3), 22. doi:10.5815/ijcnis.2019.03.04