Intrusion detection systems vs. network behavior analysis: Which do you need?

Welcome to the first in a three-part series on network behavior analysis through the eyes of Plixer International. The second part in the series focused on NetFlow analytics vs. network behavior analysis, while the third focused on network behavior analysis and DoS attacks.

Marc Bilodeau
More and more vendors are touting the "security features" of their products with such acronyms as IDS, NBA, IPS, firewalls and a slew of others. Thoroughly confused, yours truly asked Plixer Cofounder and CTO Marc Bilodeau the following six questions in order to better understand the differences between IDS and NBA systems, as well as a few others:

1. What is an Intrusion Detection System (aka IDS)? "An intrusion detection system generally sits on the internet connection and snoops on packets. It is used to detect malicious behaviors that try to sneak onto the network and compromise the security and trust of a computer system. This includes network attacks on vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses and worms). Once in, the virus or infection can hang out for weeks before it strikes out on its evil mission." ----------------------------------- 2. Won’t regular signature updates to the IDS help keep the threat database up to date? "Yes signature updates are helpful, but because crackers are constantly evolving their nasties to get past the latest security shields, the company is never completely immune. I like to compare 'signature updates' to a routine flu shot injected into the human body every year to protect it against the most threatening viruses. However, it never blocks all flu viruses." ----------------------------------- 3. What is Network Behavior Analysis? "Network behavior analysis is the ability to identify traffic patterns that are not considered normal in the day to day traffic of the network. Simply put, this is the industry's attempt to identify irregularities in the network beyond simple threshold settings for excessive traffic. One of the most watched for network security breaches is an abnormal traffic pattern known as a Distributed Denial of Service attack (DDoS). It is a significant security threat to internet service providers and large network infrastructures." ----------------------------------- 4. What about Intrusion Prevention Systems (aka IPS), how is it different from the IDS or NBA? "Intrusion prevention systems generally work in conjunction with IDS and NBA systems. When an attack is detected by the IDS or NBA, the IPS can drop the offending packets while still allowing all other traffic to pass. I like to compare IPS technology to taking Tylenol to help my body operate while it fights the symptoms of the flu. This is ideally done at the switch which can also perform NBA." Bilodeau notes that Cisco and HP support NetFlow and sFlow respectively, but they perform NBA at the switch without sFlow or NetFlow. ----------------------------------- 5. How can a system with Network Behavior Analysis (aka NBA) abilities help a company with both IDS an IPS already in place? "In my opinion, an NBA system can be considered a bit less proactive than an IDS and generally focuses on internal traffic. It can sit on a connection and snoop packets like an IDS or it can leverage NetFlow. I say less proactive because an NBA tries to recognize problems that are already underway (e.g. Network scans or DDOS attacks that are being carried out). It tries to catch threats missed by the IDS or antivirus software. An NBA appliance addresses anomalies in network traffic that deviate from standard behavior patterns. Because the NBA system focuses on behavior or symptoms, updates to the analysis engine are made less frequently than that of an IDS. In keeping with my flu example, the flu shot (i.e. IDS) didn’t work. You are sick and the body (i.e. NBA) recognizes a stuffy nose, sinus pressure and a host of other ailments." ----------------------------------- 6. So which do you need: IDS or NBA? "Well, if you have an IDS, and want to know if an NBA should be added, I would answer with: Can the business benefit from the additional security monitoring an NBA provides? Are you worried about internal threats, most companies are? "I want to add that at Plixer we developed an industry first technology called Flow Analytics which has many NBA capabilities, but it also provides useful enterprise wide information across hundreds of flow sending routers and switches."


It certainly appears that you need both IDS and NBA, do you agree?

Contact Brad Reese
http://www.BradReese.Com Search 31,427 Cisco Job Openings Post Cisco Network Engineer Jobs View 1,595 items of Refurbished Cisco Examine CCIE Resumes Consider 697 Cisco Certified Network Engineer Resumes
  

Visit Brad Reese on Twitter

Visit Brad Reese on Twitter

http://twitter.com/BradReese
  
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT