Our personal and professional lives are becoming more and more digital. While this trend has a number of upsides ranging from optimized workflows, to better connectivity with loved ones, to Netflix binges, it also means the importance of network security is at an all-time high.
One of the cornerstones of a secure network infrastructure is the ability to identify and mitigate threats before they compromise data or bring down a network. A strong Intrusion Protection System (IPS) or Intrusion Detection System (IDS) can play a major role in doing just that.
In this article, we’ll dive into the topic of IPS and IDS, review some of the basic concepts including SIEM, and then provide an overview of some of the popular SIEM, IPS, and IDS software available for Windows, Linux, and Mac OS. If you’re already comfortable with the basics surrounding intrusion prevention and detection, feel free to
- 1 IPS Defined
- 2 Differences between IPS & IDS
- 3 HIPS & NIPS
- 4 HIPS vs Antivirus
- 5 A NIPS is NOT a firewall
- 6 How are threats detected?
- 7 What is SIEM?
- 8 1. SolarWinds Log & Event Manager (FREE TRIAL)
- 9 2. SNORT
- 10 3. Security Onion
- 11 4. Bro Network Security Monitor
- 12 5. Trend Micro Vulnerability Protection Agent
- 13 6. WinPatrol
- 14 7. OSSEC
- 15 Summary
An IPS is an IT security system that monitors a network for malicious activity and proactively attempts to mitigate or prevent the threat.
In some cases, IPS solutions are dedicated hardware appliances that run powerful IPS software and are deployed as discrete nodes within a network. Cisco’s Firepower NGIPS (Next Generation Intrusion Prevention System) product line includes a number of hardware devices that fit this description.
Differences between IPS & IDS
You may hear the terms IPS and IDS used interchangeably. Given that many security solutions support both and IPS is sometimes referred to as “proactive IDS” or similar, the confusion is understandable. The main difference between IPS & IDS is exactly what the names imply: an IPS attempts to take action against intrusions while an IDS only detects them.
There are pros and cons to both approaches to intrusion detection. In short, the tradeoff is summarized as one between automating responses (which an IPS can do) and minimizing the effects of false positives (of which an IDS would have less).
HIPS & NIPS
At a high level, there are two ways to deploy intrusion prevention (and detection) systems: at the host-level or at the network-level. The host-based systems are referred to as HIPS (Host Intrusion Prevention System) and network-based systems are referred to as NIPS (Network Intrusion Prevention System). For their IDS counterparts, HIDS and NIDS are the acronyms used.
HIPS are installed on a given host (e.g. a personal computer) and only protect that host. NIPS are installed on the network and protect multiple systems on the network.
HIPS vs Antivirus
There is a lot of confusion and ambiguity as to what exactly differentiates an HIPS and antivirus software. One somewhat popular way to separate the two categories: a HIPS looks at behavior, files, and changes to a system while an antivirus software just looks for malicious or unwanted files. However, this falls apart a bit as you begin to take a look at what most modern antivirus software actually do. Many antivirus perform features fall into the aforementioned “HIPS” category. Within the context of this article, we’ll look at some software that calls out host intrusion prevention specifically to help give you an idea of what’s available on the market and how it stacks up to antivirus software.
A NIPS is NOT a firewall
It is important to understand that an IPS is NOT a firewall. Firewalls provide a different type of rule-based security that is important and should not be overlooked, but there are many threats that do not violate firewall rules. That is where IPS and IDS comes in. For example, a firewall can stop traffic HTTP traffic to port 80 altogether, but it isn’t designed to analyze the content of network packets and take action if something malicious is detected. That’s where NIPS comes in.
However, there are products that combine the functionality of a firewall and an NIPS into one device. Cisco’s Next Generation Firewalls (NGFWs) are a popular example.
How are threats detected?
There are two popular methods used by IPS and IDS to detect threats, signature-based detection and anomaly-based detection. Signature-based detection compares traffic to a database of known threat definitions while anomaly-based detection uses heuristics. While anomaly-based methods offer some advantages in the form of detecting zero-day or otherwise undefined threats, they are also generally more difficult to develop and maintain.
What is SIEM?
Security Information and Event Management software products, or SIEMs, are a way to centralize and analyze network security data and help scale security solutions. Data from nodes running IDS or IPS software can play a big role in getting the most out of a SIEM solution. SIEMs help make IPS and IDS more scalable and can better enable organizations to achieve compliance, improve reporting, and identify correlations that can indicate a broader threat. In short, SIEMs enable organizations to scale their IDS and IPS data into a more complete security solution.
- SolarWinds Log & Event manager (FREE TRIAL)
- Security Onion
- Bro Network Security Monitor
- Trend Micro Vulnerability Protection Agent
SolarWinds Log & Event Manager (LEM) is an enterprise log management solution. LEM is deployed as a virtual appliance on VMware vSphere or Microsoft HyperV hypervisors. LEM offers advanced reporting and monitoring to help scale and centralize your network security administration. Given its advanced feature set, LEM is often used as a SIEM. LEM supports dozens of IPS and IDS connectors from a variety of vendors including Cisco, Juniper, and Trend Micro. You can view the complete list here.
The nDepth search engine included with LEM adds a significant amount of extensibility and functionality. As an example, check out this article describing how you can create an nDepth query to display all activities by a given user.
For a deeper dive into LEM, check out our review. To test drive LEM yourself from a browser, click here.
SNORT is one of the biggest names in IPS and IDS. SNORT’s Network Intrusion Detection System Mode enables you to define if SNORT blocks or just alerts when a thread occurs. This choice is what determines if you’re using SNORT as an IPS (blocking) or IDS (alerting). SNORT can also operate in Sniffer Mode as a packet sniffer or Packet Logger Mode as a logging solution.
For the most part, SNORT uses signature-based detection. There are a wide variety of base policies within SNORT. Additionally, for advanced users SNORT allows you to write your own policies.
SNORT is open source and has a large community of users. It is used as a part of enterprise security solutions (e.g. Cisco’s 4000 Series Integrated Services Routers), so it’s also a good reference for those of you looking to get familiar with enterprise tools without access to enterprise hardware.
SNORT is supported on Windows, Fedora, Centos, and FreeBSD.
3. Security Onion
Security Onion is a Linux distribution designed to serve as a security solution that includes network-based IDS and IPS. Security Onion leverages a number of popular security solutions like OSSEC, SNORT, Suricata, Elasticsearch, Logstash, Kibana, Bro, Sguil, Squert, NetworkMiner, and a number of other tools for network security. A configuration wizard helps make provisioning easier for first time users. You can download the Security Onion ISO for free here.
4. Bro Network Security Monitor
Bro is an advanced network analysis framework with NIDS and NIPS features. Bro is supported on Linux, Mac OS X, and FreeBSD operating systems. The Bro team is lead by Bro’s creator Vern Paxson and members of the Computer Science Institute and National Center for Supercomputing Applications. Bro is popular in communities with advanced users such as the fields of academics and supercomputing.
Bro uses signature-based detection for IPS and IDS as well as anomaly-based detection and behavioral analysis. Bro also supports application layer analysis.
Bro has a large community and a lot of documentation to help you get started. You can try Bro directly from your browser here. Example scripts and exercises are available to help you get familiar with this tool.
5. Trend Micro Vulnerability Protection Agent
The Trend Micro Vulnerability Protection Agent is a host-based intrusion prevention system for Windows that works in conjunction with a Trend Micro Vulnerability Protection Server to protect individual computers on a network.
This solution offers a number of features including automatic assessments and recommendations for patches, blocking of exploits before patches are applied, and dynamic adjustment of configurations based on the location of a given node.
This solution might be a good fit if you need to continue to use out of support operating systems (e.g. Windows XP) or are looking for a HIPS/HIDS that can help you meet compliance objectives. You can learn more about the Vulnerability Protection Agent and sign up for a trial here.
WinPatrol is a Windows host-based intrusion prevention/detection system. There is a freeware and premium (Plus) version of WinPatrol. WinPatrol offers a number of features ranging from notifying you to changes to startup programs to an “artificial intelligence” engine to detect and block ransomware and malware. As an added bonus, Scotty, the WinPatrol dog, will “bark” to alert you when a notification occurs.
While some reviews of WinPatrol have called out the fact it missed some threats and some of the features (e.g. viewing running processes) seem to be a repackaging of Windows features, it does have some upside. In my time using it, it has made me aware of some changes to my system that I otherwise would not have noticed. The changes were all relatively benign, but being cognizant of the changes a given program makes can be a plus. In the screenshot below you can see WinPatrol alerting me to changes made by another entry on this list, Trend Micro’s Vulnerability Protection Agent.
OSSEC is a free and open source (released under GNU General Public License version 2) HIDS that supports a wide variety of operating systems including Windows, macOS, FreeBSD, OpenBSD, Linux, AIX, and VMware ESX.
OSSEC supports monitoring of files and logs, rootcheck, and process monitoring. Alerts from OSSEC can be sent via email or syslog for integration into a SIEM system. OSSEC has a large community of users and developers supporting it which can be helpful when you’re just getting started with a new tool.
For more on OSSEC, check out their detailed documentation pages.
Securing your IT infrastructure using SIEM, NIPS/NIDS, and HIPS/HIDS can help keep your business running and mitigate risk. In this article we discussed some of the nuts and bolts of intrusion detection and prevention and provided an overview of some of the top SIEM, IPS, and IDS software available today.
What did you think of our choices? Is there anything we left out? Do you have a question about one of the tools mentioned here? Let us know in the comment section below.