Network intrusion detection and prevention systems guide

As network attacks evolve so must network intrusion prevention and detection systems. Now network intrusion prevention must involve anomaly-detection and application awareness.

Over the years, network intrusion detection and prevention systems have evolved to handle varying types of threats. These days, network managers expect network intrusion detections systems (IDS) and network intrusion prevention systems (IPS) to detect Web application attacks and include anomaly-awareness in addition to handling older threats that haven't disappeared. In this guide, read a series of articles that will help you understand how different network intrusion detection and prevention systems work, and how they should be integrated to achieve complete protection.


One of the most difficult factors in choosing a network intrusion detection and prevention system is simply understanding when you need one and what functions it can address. With all the options on the market for firewalls, application firewalls, unified threat management devices and intrusion prevention or detection, it's hard to pick apart the features and get a handle on which devices are the most appropriate for specific functions.

You may also be wondering whether you can replace an IDS with an IPS. Some organizations implement an intrusion prevention system and discover that they are able to retire their legacy intrusion detection systems. But will that work for you?

Read this tip on IDS vs. IPS to learn the types of basic features and protections IDS or IPS systems offer, the difference between IDS and IPS in practical application and a few popular use cases for the technologies. 

To learn more about basic intrusion prevention, read this case study about how relocation service provider Sirva achieved zero-day protection at the network perimeter with a NAC-based intrusion prevention system.

Preventing application threats with network intrusion prevention systems

Applications are increasingly becoming the entry path for serious threats. E-commerce applications, for example, access internal databases with valuable information, so they are highly targeted. Unfortunately, traditional network intrusion detection and protection systems are not designed to protect organizations from application threats.

Vendors have responded by building application-specific intrusion detection and prevention systems.  Web application firewalls, for example, use anomaly-based and signature-based technologies to detect frequently used attack techniques. This new breed of intrusion prevention system should complement your traditional systems. In this tip, learn how application-specific network intrusion detection systems prevent attacks via Web applications, email and VoIP. Also lean how these systems can be integrated with existing technology.

Installation, configuration and tuning network intrusion prevention

Installing and configuring anomaly-based intrusion prevention devices requires more effort than signature-based devices. Anomaly-based devices aim to detect and prevent zero-day threats by detecting network activity that is out of the ordinary. Installing and configuring a system that will recognize unexpected activity requires an understanding of the activity that is expected. But monitoring the network for a few hours is not sufficient. In order to avoid false positives, the system must recognize activity changes that occur over the course of the day and at different times of the month. Read this article on anomaly-based intrusion protection installation and configuration to learn how to install and configure an IPS.

Unlike other security devices, an IDS/IPS requires maintenance and tuning after the installation and configuration. Intrusion detection and prevention systems look for patterns with a completely different algorithm, and tuning is necessary to reduce false positives and false negatives. Listen to this podcast to learn the top five ways to tune an IDS/IPS to meet business needs.

Consolidating your infrastructure

Even as organizations consider when and how to integrate multiple protection systems, they are pressured to reduce data center management overhead and power consumption. If this sounds familiar, you may want to consider a strategy for consolidating your network security infrastructure. Vendors are adjusting their offerings accordingly with choices that range from multivendor software on an open chassis to integrated security on network infrastructure components. These options can reduce management and power consumption by lowering the number of physical security boxes you need to deploy in your data centers. Read this article to learn how network security hardware and software vendors are consolidating their technologies and how to create a consolidation strategy that works for your infrastructure.

Read more on Network monitoring and analysis