Neither are a single solution.

Many mentioned the IDS market is being taken over by the IPS market. It’s interesting that even the government doesn’t consider them 2 different solutions! For those that don’t already know this NIST publishes some great white papers (or in NIST vocabulary) Special Publications. In researching IDSs, I came across NISTs Special Publication SP800-94. This document is a pretty concise. It touches on almost very topic you need to know about setting an IDPS solution.

There are many products out there that do not advertise themselves to be IDPS solutions. Many firewalls such as the Sonicwall line perform IDPS. It will alert you to all sorts of attacks. You are protected from the following attacks: Simple Port Scans, SYN Flood Prevention in “Watch mode” (vs. “intercept mode”), Ping of death, IP Spoofing, Land attack, Smurf amplification, sequence number prediction, Back Orifice attacks, FTP bounce attack protection. While not exhaustive by any means… It isn’t necessarily billed as an IDPS. Next NAC devices… One must realize the whole point of IDS is you prevent attacks before they happen, thus protecting you data. To that end… one may want to consolidate host intrusion prevention, antivirus protection, endpoint accessibility, vulnerability assessment, and standards (HIPAA, SOX, PCI, etc.) compliance into one box. The nice thing about these solutions are they offer reporting on all of the above… what good is the data when no one looks at it.

So let’s take a look at something I’ve been using for a while…

Sophos (major player in the antivirus field) has expanded their security and data protection products over the past few years. The Enterprise solution is modular in that you can purchase the “protection” you need now and expand when funds permit. Sophos offers Endpoint Security and Data Protection. This is their basic offering. It gets your foot in the door so to speak. It comes with solutions for anti-virus protection, encryption, and NAC technologies. This basic package can be enhanced with SafeGuard and NAC Advanced. SafeGuard Enterprise monitors your network and through the use of policies can protect/secure USB ports, PCMCIA slots, Wi-Fi and Bluetooth interfaces, PDAs, laptops as well as a plethora of external storage devices. NAC Advanced provides protection against foreign devices trying to attach to your network that do not meet current security policies. It offers end-user ACLs insuring that only those users that need access to protected data have it. Lastly, as part of Sophos’ offering they provide a Host-based IPS that is fully integrated into their solution. One nice thing about the product is that it offers support for multiple platforms!