Intrusion Detection System (called IDS in short) is a device or software solution that monitors a network or systems for malicious activity or policy violations. IDS is passive device which watches packets of data traversing the network, comparing with signature patterns and setting off an alarm on detection on suspicious activity. IDS system is mostly employed after the Firewall in a non-Inline mode, where is connects to a switch or a network tap and traffic is spanned (or or sent via tap) to IDS.
IDS is commonly compared to another security solution called IPS. IPS stands for Intrusion Prevention System which functions in contrast to IDS by blocking or remediating flows with malicious traffic.
Related – What is IPS Security?
Many times, IDS solution can also work as an IPS system. Customers can use this dual functionality of IDS and IPS by using the system in two phases. In the 1st phase, when the network, security and application stack is newly setup, IDS feature will be leveraged to see how the system behaves without actually blocking anything. Once the initial phase has settled well, then fine-tuned IPS can be turned on in 2nd phase and the system can be deployed inline to provide full protection from attacks.
Below table depicts one of the most common scenario where IDs is deployed in non-inline mode and traffic is shared with IDS by switch using port mirroring or port span. In some cases, a passive device called Network TAP may also be deployed separately if switch is not used for sending traffic to IDS –
The 3 key objectives of IDS are shared below –
Security Automation – With help of IDS (or IPS system), security vulnerabilities and threats are kept at bay. Network and security admins are rest assured of the safety of network due to IDS presence which captures and automatically takes required step to alert in event of attacks.
Security Compliance – The IDS system helps meet the security posture of IT infrastructure and also provides valuable audit information used for compliance investigations.
Policy enforcement – Organizational security policies can be easily implemented and corrective actions can be taken during event of non-complaint traffic flow . With IDS informing the concern about breach of laid down policies, a corrective step can be taken and therefore organizational policies can be strictly adhered to.
Related – IDS vs IPS vs Firewall