Robbie Higgins, Vice President of Security Services at GlassHouse Technologies (, says:

IDS/IPS should be part of any company’s security environment large or small; firewalls for the most part are not very good in malicious activity detection. Deployment and operation of IDS/IPS is different from other enterprise security products such as firewalls, in that it involves a data analysis phase before and after the deployment, and the effectiveness of the IDS/IPS depends on interactive alerts tuning and data analysis techniques. IPS contains all the detection features of IDS (attack signature detection), in addition to vulnerability-based signatures and non-signature detection capabilities.

While larger companies may have an extensive deployment of both network and host based IDS/IPS infrastructure, smaller organizations can get away with providing host based IDS/IPS on its critical hosts and possibly looking to getting a service provider to manage and monitor a network based IDS/IPS solution.

Two primary considerations to consider prior to purchasing:

Which one to choose IDS? IPS? Or a combination of both?
Where to place in your IDS/IPS in your network?

IDS product typically operates do not interfere with production traffic, though it requires manual action to analyze and stop an intrusion. IPS typically installs inline on the network and can automatically detect and block intrusion. However due to the high false positive rate, caution needs to be taken for deploying IPS on critical networks. Some vendors offer (Sourcefire, Tippingpoint) appliances that can operate in both IDS and IPS mode. For small to midsize organizations I would recommend deploying IDS on their critical host and possibly getting a networks based IPS location on the network perimeter.

Where in the network do you deploy IDS/IPS?

Do you just deploy a host based IDS (HIDS) or go with network based IDS (NIDS)? Network Intrusion Detection System (NIDS) monitors network traffic by aggregating network traffic, versus Host Intrusion Detection System (HIDS) is installed on the individual host as part of the end-point-security. Obviously a deployment strategy that involves both is best as it provides you visibility to both network data and host data for correlation. For large companies the cost justification for a combination of both HIDS and NIDS is relatively easy; however for small to midsize organizations it’s not that simple. For smaller organizations I would advise going with just HIDS and start by deploying first on your most critical host.

During the last year we have seen many suppliers announce 10Gbps IPS products. Sales of these products make up a very small percentage of the market and are really not the target for small to mid size organization; they are the target of government and large enterprise.

The creation of custom signatures by users is increasing albeit at a slow rate primarily required for custom applications or unusual protocols. Rate-limiting capabilities are a standard in most IPS products. Some also have quality of service (QoS) that goes beyond basic external QoS tags and can prioritize bandwidth based on security criteria or protocol type. DLP has also popped up as a niche feature but is limited to searching on credit card and Social Security numbers. The primary selection criteria beyond throughput and signature quality that small to midsize organizations should focus in on is ease of deploying in-line and ease of administration.

Where is your money best spent?

Start small! Focus in on your critical network devices and client host and start there. One of the biggest challenges for large and small companies who deploy IDS/IPS initially is dealing with the alerts and false positives that require tuning the system to focus in on the real threats. Most companies would be best served by starting small and growing the deployment based on a growing IT environment and an organizations requirement to reduce the risk of intrusions.