Skip Links

Network World

Brad Reese

Intrusion detection systems vs. network behavior analysis: Which do you need?

By Brad Reese on Wed, 09/10/08 - 12:14am.
Newsletter Signup

Welcome to the first in a three-part series on network behavior analysis through the eyes of Plixer International. The second part in the series focused on NetFlow analytics vs. network behavior analysis, while the third focused on network behavior analysis and DoS attacks.

Marc BilodeauMore and more vendors are touting the "security features" of their products with such acronyms as IDS, NBA, IPS, firewalls and a slew of others.

Thoroughly confused, yours truly asked Plixer Cofounder and CTO Marc Bilodeau the following six questions in order to better understand the differences between IDS and NBA systems, as well as a few others:

1. What is an Intrusion Detection System (aka IDS)?

"An intrusion detection system generally sits on the internet connection and snoops on packets. It is used to detect malicious behaviors that try to sneak onto the network and compromise the security and trust of a computer system. This includes network attacks on vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses and worms). Once in, the virus or infection can hang out for weeks before it strikes out on its evil mission."

-----------------------------------

2. Won’t regular signature updates to the IDS help keep the threat database up to date?

"Yes signature updates are helpful, but because crackers are constantly evolving their nasties to get past the latest security shields, the company is never completely immune. I like to compare 'signature updates' to a routine flu shot injected into the human body every year to protect it against the most threatening viruses. However, it never blocks all flu viruses."

-----------------------------------

3. What is Network Behavior Analysis?

"Network behavior analysis is the ability to identify traffic patterns that are not considered normal in the day to day traffic of the network. Simply put, this is the industry's attempt to identify irregularities in the network beyond simple threshold settings for excessive traffic. One of the most watched for network security breaches is an abnormal traffic pattern known as a Distributed Denial of Service attack (DDoS). It is a significant security threat to internet service providers and large network infrastructures."

-----------------------------------

4. What about Intrusion Prevention Systems (aka IPS), how is it different from the IDS or NBA?

"Intrusion prevention systems generally work in conjunction with IDS and NBA systems. When an attack is detected by the IDS or NBA, the IPS can drop the offending packets while still allowing all other traffic to pass. I like to compare IPS technology to taking Tylenol to help my body operate while it fights the symptoms of the flu. This is ideally done at the switch which can also perform NBA."

Bilodeau notes that Cisco and HP support NetFlow and sFlow respectively, but they perform NBA at the switch without sFlow or NetFlow.

-----------------------------------

5. How can a system with Network Behavior Analysis (aka NBA) abilities help a company with both IDS an IPS already in place?

"In my opinion, an NBA system can be considered a bit less proactive than an IDS and generally focuses on internal traffic. It can sit on a connection and snoop packets like an IDS or it can leverage NetFlow. I say less proactive because an NBA tries to recognize problems that are already underway (e.g. Network scans or DDOS attacks that are being carried out). It tries to catch threats missed by the IDS or antivirus software. An NBA appliance addresses anomalies in network traffic that deviate from standard behavior patterns. Because the NBA system focuses on behavior or symptoms, updates to the analysis engine are made less frequently than that of an IDS. In keeping with my flu example, the flu shot (i.e. IDS) didn’t work. You are sick and the body (i.e. NBA) recognizes a stuffy nose, sinus pressure and a host of other ailments."

-----------------------------------

6. So which do you need: IDS or NBA?

"Well, if you have an IDS, and want to know if an NBA should be added, I would answer with: Can the business benefit from the additional security monitoring an NBA provides? Are you worried about internal threats, most companies are?

"I want to add that at Plixer we developed an industry first technology called Flow Analytics which has many NBA capabilities, but it also provides useful enterprise wide information across hundreds of flow sending routers and switches."

It certainly appears that you need both IDS and NBA, do you agree?

Contact Brad Reese
http://www.BradReese.Com

Search 31,427 Cisco Job Openings

Post Cisco Network Engineer Jobs

View 1,595 items of Refurbished Cisco

Examine CCIE Resumes

Consider 697 Cisco Certified
Network Engineer Resumes

  
Brad's Favorite Top 5 Picks
# 1. Cisco Tools
# 2. Cisco vs. Competitor Lab Tests
# 3. Cisco Engineering Support Directory
# 4. Cisco Repair and Hardware Troubleshooting
# 5. Cisco Product Quick Reference Guides, CPQRGs
Brad Reese on Cisco Story Archives Brad Reese on Cisco Story Archives

Cisco Jobs

Cisco Resumes

2008 Cisco Salary Rates

Nine Year Worldwide CCIE Count
  

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
Advertisement:
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished which offers one year warranties on Cisco Refurbished and Cisco Repair.

Contact Brad Reese

Archives
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
Categories
A government official in possession of a large corporate stockholding while that corporation is subject to administrative rulings by that same government official
After contacting Cisco
Agito adds that its enterprise fixed mobile convergence (eFMC) platform enables low-cost in-building voice coverage
Agito introduced Agito for BlackBerry
Agito's BlackBerry smart phone functionality for Cisco VoIP
Agito's RIM BlackBerry support announcement
Americas Vice President and General Manager of HP ProCurve - Karl Soderlund
An assortment of communications companies
Andreessen plans to watch what companies Cisco acquires
Andreessen sees as the next market transition
As a matter of Cisco policy
Back in April the CCIE Security track changed
Black Hat attack on Cisco's network admission control (NAC)
Boas also led an educational session at the Gartner Security Summit
Boas shares his insight on the most prevalent threats to the enterprise network
Bragging about Cisco's ability to catch market transitions
Brings enterprise VoIP over WiFi for dual-mode BlackBerry smartphones
But neither felt it as bad as Cisco did
Can Cisco VARs profitably match HP ProCurve pricing on a deal-by-deal basis?
Careers
Chairman and CEO of Cisco China - Jim Sherriff
Cisco
Cisco CEO John Chambers has never been shy
Cisco Chief Technology Officer Padmasree Warrior
Cisco NAC design flaws that the folks at Black Hat so alarmingly described
Cisco VARs no longer have enough margin left to profitably match HP ProCurve pricing
Cisco customer a discount
Cisco has held this share position since CY02
Cisco has produced a new CCIE count
Cisco is celebrating its 25th anniversary this year
Cisco is the revenue-leading vendor overall with 38% of total network security appliances and software in 1Q09 (down 2.8 points from 4Q08)
Cisco might do very well with the Flip
Cisco offer price-matching discounts to existing customers in order to equal ProCurve prices
Cisco only counts your CCIE number once
Cisco released its new worldwide CCIE count
Cisco's executive biographies web page
Cisco's loss of market share has in itself become the networking industry's newest market transition
Compromised the Cisco agent installed on the end system
Confirmation testimony before the U.S. Senate noteworthy
Customer-proven best practices of network access control (NAC)
Data Center
Didn’t RIM already support voice over WiFi?
Doesn’t RIM’s Ascendent acquisition give them this?
Douglas Gourlay - Vice President of Cisco Data Center Solutions
Douglas Gourlay is as sharp as a tack and one of the most impressive people I've ever had the honor of collaborating with on Cisco stories
Dual CCIE #18532 Routing and Switching/Security - George Morton
Dual-mode BlackBerry smartphones
Enables BlackBerry to be integrated into corporate PBXs and Unified Communications systems
Enterasys NAC is agent-less assessment based on a network scan
Enterasys security expert Dennis Boas
Enterasys uses multiple criteria beyond end system health assessment to assign and limit access granted to an end system
Enterprise concerns about the financial and management aspects of NAC
Enterprises that have standardized on the BlackBerry platform
Exactly what's causing everybody to quack?
Famous networking industry journalist
Flexible options with Enterasys NAC
Flip video below of Chambers' doing his quacks
Flip video of Cisco CEO John Chambers performing his duck quacks
Further details on why Cisco has lost market share in network security
Gourlay was featured just 7 days earlier in the Cisco Data Center Networks blog story
Gourlay's office is located at Cisco's nearby headquarters in San Jose
HP ProCurve continues to win business and gain market share
HP ProCurve is calling the shots now
HP ProCurve is whacking Cisco in its most vulnerable spot
HP ProCurve pricing on a deal-by-deal
HP ProCurve will take 20% off its list price
Half the smartphones in use in the US today are BlackBerry devices
Hogtied by Cisco's new committee culture
How Cisco was working overtime AGAINST the Buy America provisions of the $7.2B broadband stimulus fund
I can still see those wishing to cash out selling to Cisco
I have worked for a handful of telecommunications companies of varying sizes
I voted for President Obama seeking change
If you trade-in your Cisco equipment
Independent companies operating in Silicon Valley able to out innovate Cisco
Interesting CCIE news from around the world
Is Cisco likely to innovate? No
Its been proven that a government official can be bribed with free dinners
Jeff Wilson - network security analyst at Infonetics Research
Joel Bion - Senior Vice President of Cisco's Product Resiliency Research
Juniper and Check Point are second and third with 10.4% and 9.5% respectively
LANs / WANs
Larry Strickling is confirmed as the new Administrator of the National Telecommunications and Information Administration (NTIA)
Last month Cisco missed the multiple CCIE numbers
Made by Strickling during his March 19
Manny Rivelo - Senior Vice President of Cisco's Development Organization
May 2009 vs. June 2009 Worldwide CCIE Count Comparison
Mobile features integrated into the BlackBerry
My previous government service at the FCC provide me a unique background for the position of Assistant Secretary
My source suggested Gourlay had left Cisco
Network security vendor Enterasys
Not only among the Cisco workforce
Not too many senior executives are around from Cisco's early days
Now it appears the Internet is quacking too
Omitted the years of Cisco service for both John Morgridge and Richard Justice because they are no longer full-time Cisco executives
Only 66% of all applicants who passed were for the CCIE Router and Switch track
Only one CCIE is a member of Cisco's 59 strong senior executive team
Out innovate Cisco simply because they have no desire to be acquired
Pacific Rim CCIE numbers didn't change over the last 39 days
Pejman Roshan - Chief Marketing Officer of enterprise fixed mobile convergence (eFMC) vendor Agito Networks
Ponemon Institute reported
Post a comment to Cisco's blog that contains a link to your duck quacking video
ProCurve wants to make all Cisco customers aware of this offer
ProCurve’s momentum and market share gains
R & S + Security this year as the most popular dual CCIE track
R & S + Service Provider was 49% of the successful attempts for dual CCIE
RIM offers only data services over WiFi on their dual-mode smartphones
Responsible for Cisco's IOS Software
SMB
Security
Security mechanisms are used to validate the integrity and authenticity of the Enterasys agent for all server/agent communications
Security sales will come back for Cisco
Showed that Stickling owned a large Cisco stock position
So we had 251 new CCIEs
Subject of Cisco's senior executive team came up
The CEO of Cisco quacked
The Cisco workforce quacked
The IOS 12.4 track with ISR routers is slowing down the Security CCIE track
The National Telecommunications and Information Administration (NTIA) granted Cisco its coveted Buy American Exception
The average tenure would be of the 61 executives listed on Cisco's Mount Rushmore
The best duck call will win a new Flip Mino HD from John Chambers
The change in the CCIE Security track has had a major impact on new security CCIEs
Tremendous benefits HP ProCurve provides by offering the best value
VoIP / Convergence
We build our culture at Cisco around catching market transitions
We can confirm that Doug Gourlay is no longer with Cisco and we wish him well in his future endeavors
We're also now starting to see the CCIE Wireless track
We've experienced a new low for CCIE Security track
What exactly has Agito Networks announced this week?
What's your take on the implications of the new worldwide Cisco CCIE count?
What's your take on why Douglas Gourlay left Cisco and where do you think he will land?
Which had Gourlay inviting guests to Cisco Live in the following video
Which video quacks you up the most?
While Cisco salivates over 30 to 50 new market adjacencies
Why does Cisco lack pricing flexibility?
Why is cellular-only PBX and UC integration incomplete?
Why the Enterasys NAC solution is doing so well
Why the Enterasys NAC solution is in such high demand
Wireless / Mobile
Without ducking my question
Would you back the technology vision of Marc Andreessen
You too will understand why duck quacking has become such an overnight sensation
On The Web
Twitter