The Top 10 Intrusion Detection and Prevention Systems

By Ron Samson Jr

What Are Intrusion Detection and Prevention Systems?

Intrusion detection and prevention systems (IDPSes) are designed to alert an organization to ongoing cyber threats and potentially respond to them automatically.  However, not all of these systems work in the same way or have the same objectives.  Important distinctions between types of systems include:

  • Intrusion detection system (IDS) vs. intrusion prevention system (IPS)
  • Host-based vs. network-based systems
  • Signature-based vs. anomaly-based detection

Understanding the distinctions between these categories of IDPSes is important when evaluating different options and selecting the right fit for an organization.

Intrusion Detection Systems (IDS) vs. Intrusion Prevention Systems (IPS)

The terms IDS and IPS describe how an IDS/IPS responds to a detected threat.  Any IPS is an IDS, but the reverse is not always true.

An IDS, as the name suggests, is designed to detect an intrusion on the network.  This means that, if a potential cyberattack is detected, the system will raise an alert.  The system itself does nothing to try to prevent the attack, leaving that responsibility to a human analyst.

An IPS, on the other hand, actively works to prevent an attack from succeeding.  If an intrusion is detected, the IPS will respond based upon predefined formulas.  Responses may include blocking incoming network traffic, killing a malicious process, quarantining a file, etc.

An IPS is better at protecting the network against threats, so why do IDSes exist?  The problem with an IPS is that it may make an incorrect threat detection and take action against a legitimate user, process, connection, etc.  An IDS is best used when the organization wishes to maintain control over the decision to engage in incident response, while an IPS has the advantage of a faster response to detected threats.

Host-Based vs. Network-Based Intrusion Detection/Prevention Systems

An IDPS can also be classified based upon what they are designed to protect.  An IDPS can be host-based, network-based, or both.

A host-based IDPS protects a particular endpoint.  It may monitor the network traffic entering and leaving the device, processes running on the system, modifications to files, etc.

A network-based IDPS performs monitoring of traffic on the network as a whole.  These typically include a packet sniffer to collect packets from a network tap or by sniffing wireless traffic.  This traffic is then analyzed for signs of malicious content and based upon the profiles of common types of attacks (such as scanning or a Distributed Denial of Service attack).

Signature-Based vs. Anomaly-Based Detection

An IDPS identifies potential threats based upon built-in rules and profiles.  These rules can work in a couple of different ways, including looking for signatures or anomalies.

A signature-based IDPS is looking for instances of known attacks.  After a piece of malware or other malicious content has been identified and analyzed, unique features are extracted from it to create a fingerprint of that particular attack.  Signature-based detection systems compare all traffic, files, activity, etc. to a database of signatures.  If a match is found, the IDPS knows that the content is part of an attack.

Anomaly-based detection systems take a different approach to identifying malicious content.  Instead of fingerprinting known attacks, they build a model of “normal” behavior for a particular system.  After this model is built, the IDPS can look for anything that doesn’t match its model (an anomaly).  If the model is well-trained, any anomalies will be attacks.

Many IDPS systems combine both signature and anomaly detection.  The reason for this is that the two approaches have complementary strengths and weaknesses.  Signature-based detection strategies have very low false positive detection rates but can only detect known attacks.  Anomaly-based detection can potentially catch zero-day threats but can suffer from high false positive rates since they alert on anything anomalous (potentially including benign activities such as setting up a new webserver or installing new software on a machine).  By using both together, an IDPS can achieve better threat detection than with either approach in isolation.

The Best Available Intrusion Detection and Prevention System

An IDPS is one of the few cybersecurity solutions where an organization has a number of different reasonably-priced but powerful options to choose from.  From startups on a tight budget to global enterprises wanting both a trustworthy product and support, a number of different options exist.

1.  SolarWinds Security Event Manager (SEM)

SolarWinds Security Event Manager is a paid IDPS designed for enterprise environments.  It is available as a subscription service for $2,525 and up, and lifetime licenses are available starting at $4,485.

Pros:

  • Runs on Windows
  • Supports Windows, MacOS, and *nix log files
  • Collects and analyzes network and host data
  • Integrates with Snort for network analysis
  • Over 700 built-in rules for event correlation
  • User-friendly interface

Cons:

  • Software is infrequently updated

 

2.  OSSEC

OSSEC stands for open-source host-based security (despite the lack of an H in the acronym).  OSSEC is an example of a host-based IDPS, and, since it is open-source, is available for free.

Pros:

  • Open source
  • Windows registry monitoring
  • MacOS privilege escalation detection
  • Monitors log file checksums to detect tampering

Cons:

  • Limited Windows support
  • Steep learning curve

 

3. Snort

Snort is probably the most well-known and popular IDPS in existence.  Its extremely large fan base has led to its rule formats being accepted as a widely-used standard, and many other IDPSes are built to be compatible with it.  Since Snort is open-source, it can be downloaded and deployed for free.

Pros:

  • Usable on all operating systems
  • Large library of pre-built detection rules
  • Deep visibility into network traffic

Cons:

  • Unstable updates

 

4. Suricata

Suricata is designed to be a competitor to Snort.  It is compatible with Snort file formats, rules, etc. and is also a free option.  It includes features not available in Snort, such as performing network traffic analysis at the application level (which enables detection of malicious content spread over multiple packets).

Pros:

  • Open source
  • Data collection at application layer
  • Deep network traffic visibility
  • Integration with a number of third-party tools
  • Lua scripting support
  • User-friendly interface
  • Parallel processing with GPU support

Cons:

  • Processor-heavy

 

5. Zeek

Zeek, formerly known as Bro, is an extremely powerful NIDS.  Zeek’s built-in scripting support enables a great deal of customization and customized automated responses to identified threats.

Pros:

  • Open source
  • Runs on MacOS and *nix systems
  • Deep visibility into network traffic
  • Integrated traffic logging
  • Tasks enable customized automation

Cons:

  • Steep learning curve

 

6. Sagan

Sagan is one of the few open-source IPSes that is designed to provide both host-based and network-based intrusion detection and prevention.  Sagan is primarily host-based but can integrate with Snort and firewalls to provide protection at the network level as well.

Pros:

  • Open source
  • Compatible with Snort data
  • Multiple third-party integrations
  • Runs on MacOS and *nix systems
  • Integration with firewalls for IP blocking
  • Lightweight

Cons:

  • Steep learning curve (many features)

 

7. Security Onion

Security Onion is a Linux distribution that combines a number of IDPS and other security tools within a custom Linux distribution.  This list of tools includes Snort, Suricata, Zeek, and other popular open-source security tools.

Pros:

  • Open-source Linux distribution
  • Integrates a number of tools

Cons:

  • Many overlapping standalone tools
  • No action automation
  • Some interfaces are not user-friendly

 

8. McAfee Network Security Platform (NSP)

McAfee Network Security Platform (NSP) is a closed-source NIDS.  While it has a high price tag compared to the other options in this list (starting at $10,995), with that comes focused development, access to support, and other benefits not available with open-source freeware.

Pros:

  • Protection against bots, Distributed Denial of Service (DDoS), ransomware, and many other attacks
  • Blocks harmful sites

Cons:

  • False positives for harmful site detection
  • Negatively impacts network performance

 

9.  Palo Alto Networks

Palo Alto Networks also offers an IPS for large businesses wanting the support that comes with a commercial solution.  Their NIPS, with prices starting at $9,509.50, comes with active development by a large cybersecurity company.

Pros:

  • Constantly updated threat protection profiles
  • Blocks harmful sites

Cons:

  • Little customization
  • No visibility into signatures used

 

10. Fail2Ban

Fail2Ban is an open-source host-based IPS designed to detect and respond to suspicious or malicious actions based upon monitoring of log files.  Analysts can combine “filters” (detection rules) with automated remediation actions to form a “jail”.

Pros:

  • Runs on *nix and MacOS systems
  • Log file analysis to identify suspicious events (such as repeated failed login attempts)
  • Automatic blocking of suspicious/malicious IP addresses

Cons:

  • Focuses on repeated malicious actions from a single IP address (can miss DDoS attacks)

 

Comparing IDPS Options

Not every IDPS system is created equal.  With many different types of systems (IDS vs. IPS, host-based vs. network-based, signature vs. anomaly detection), it is important to understand the purpose that a particular system is designed to fulfill and how it does its job.

 

 IDS/IPSHIDS/NIDSSupported PlatformsPrice

SolarWinds

SEM

IPSBothWindows$2,525+
OSSECIPSHIDS*nix, MacOS, WindowsFree
SnortIPSNIDS*nix, WindowsFree
SuricataIPSNIDS*nix, MacOS, WindowsFree
ZeekIPSNIDS*nix, MacOSFree
SaganIPSBoth*nix, MacOSFree
Security OnionIPSBothLinuxFree
McAfee NSPIPSNIDSStandalone$10,995+
Palo Alto NetworksIPSNIDSStandalone$9,509.50+
Fail2BanIPSHIDS*nix, MacOSFree

 

Choosing an IDPS

The choice of which IDPS to use should be based upon an organization’s unique environment and business needs.  It is also important to keep in mind that IDPS options are not always an “either/or” choice.  Achieving comprehensive threat detection and prevention may require deploying both a host-based and a network-based IDPS or running multiple network-level IDS systems side-by-side to take advantage of their different strengths.

Sources

https://www.esecurityplanet.com/products/top-intrusion-detection-prevention-systems.html

https://www.softwaretestinghelp.com/intrusion-detection-systems/

https://www.dnsstuff.com/network-intrusion-detection-software

Intrusion Detection Systems Explained: 13 Best IDS Software Tools Reviewed