The 7 best intrusion prevention systems (IPS) by 2020

Everyone wants to keep intruders out of their home. Similarly, and for similar reasons, network administrators strive to keep intruders out of the networks they manage. One of the most important assets of many of today's organizations is their information. It is so important that many malicious people will do everything possible to steal that data. They do this using a wide range of techniques to obtain unauthorized access to networks and systems. The number of such attacks has increased exponentially and, in reaction, systems are being implemented to prevent them. These systems are called intrusion prevention systems, or IPS. Today, we take a look at the best intrusion prevention systems that could be found.

INTRUSION PREVENTION  SYSTEM - WHAT IS ALL THIS ABOUT? 

Years ago, viruses were virtually the only concerns of system administrators. Viruses reached a point where they were so common that the industry reacted by developing virus protection tools. Today, no serious user in their right mind would think of running a computer without virus protection. While we no longer hear many viruses, the new threat is intrusion or unauthorized access to your data by malicious users. Since data is often the most important asset of an organization, corporate networks have become the target of malicious hackers who will do everything possible to access the data. Just like virus protection software was the response to virus proliferation,Intrusion Prevention Systems is the answer to intruder attacks.

Intrusion prevention systems essentially do two things. First, they detect intrusion attempts and when they detect suspicious activities, they use different methods to stop or block it. There are two different ways to detect intrusion attempts:

SIGNATURE BASED DETECTION
It works by analyzing network traffic and data, looking for specific patterns associated with intrusion attempts. This is similar to traditional virus protection systems that rely on virus definitions. Signature-based intrusion detection is based on signatures or intrusion patterns, the main drawback of this detection method is that you need the appropriate signatures to load into the software. And when there is a new attack method, there is usually a delay before the attack signatures are updated. Some providers are very fast in providing updated attack signatures, while others are much slower. The frequency and speed with which signatures are updated is an important factor to consider when choosing a provider.

ANOMALY-BASED DETECTION
It offers better protection against zero-day attacks, which occur before detection signatures have the opportunity to update. The process looks for anomalies instead of trying to recognize known intrusion patterns. For example, it would be activated if someone tried to access a system with an incorrect password several times in a row, a common sign of a brute force attack. This is just an example and there are usually hundreds of different suspicious activities that can trigger these systems. Both detection methods have their advantages and disadvantages. The best tools are those that use a combination of signature and behavior analysis for the best protection.

Criteria for choosing an IDS / IPS solution for PCI DSS

Whether you opt for an NIDS or NIPS solution in an appliance, as a software or as a firewall module, a series of criteria that must be taken into account when choosing and deploying a solution are described below. Incident monitoring in a PCI DSS compliance environment:

• You must have signature-based detection, anomaly analysis and support for state inspection (stateful protocol analysis)
• It should be able to analyze the perimeter of the PCI DSS network and the segments that are considered critical. In this case, analyze the option of deploying different sensors in the critical areas to be monitored
• The solution should allow customization of alerts and detection criteria, in order to manage false positives and add new detection / prevention controls additional to those provided by the manufacturer
• The solution must allow to be updated on a regular basis, both for its components and for its signatures. Keep in mind that rebooting of the equipment is often required to finalize the updates, so it is essential to manage your updates based on what is described in requirement 6.4.5 to avoid unavailability of the control that can lead to a vulnerability in the environment
• In the case of appliances, keep in mind the scalability of the device and the density of network ports, including management ports

Likewise, it is recommended:

• Before putting an IDS / IPS solution into production, define a “learning” period in which the device can capture, analyze and obtain statistical information on the normal behavior of the network in order to establish thresholds for anomaly detection
• If an inline IDS / IPS solution is deployed, keep in mind that this equipment can become a single point of failure, so it may be necessary to install devices in high availability in case of failures and perform periodic analyzes of equipment performance to prevent bottlenecks
• When monitoring traffic coming from open public networks, ensure that the IDS / IPS sensor can access the traffic in clear text, otherwise it will not be possible to monitor encrypted traffic
• Ideally, the solution should be able to link to the centralized event registration system (req. 10.5.3 and 10.5.4) and send alerts using different channels (email, SMS, etc.)
• It is recommended to validate if the solution allows integration with other security devices, such as the reconfiguration of rules in firewalls and switches in response to the detection of an intrusion
• Analyze the security features of the solution for self-defense in case of targeted attacks
• If virtualization solutions are available, consider the need to monitor the network segments on this type of platform (including virtual switch)