TABLE OF CONTENTS Being able to understand the differences between different types of IDSs and their features is crucial when trying to design a security architecture. Let s look at some of the most common terminology in the IDS field, and make sure we understand all the options available.
An IDS that not only detects possible attack, but also responds to prevent the attack from being successful. This response can be anything from creating firewall rules to black-hole the attacker, to killing the offending process (when dealing with a Host IPS), to dropping the offending traffic (when dealing with a Network IPS).
An IDS that sits at the bottleneck between your network and the Internet (or whatever peering upstream you may be connected to). Also known as an inline IDS, all traffic must pass through this gateway to leave your local network. This may also function as an IPS if it includes the capability to make decisions about whether traffic should be allowed.
The method of intrusion detection where one establishes a baseline of normal network traffic, and then looks for deviations from that norm and flags them as possible attack traffic.
The method of intrusion detection where one looks at the flow of data within the specifications of each protocol, looking for anomalies and possible malicious traffic based on the expected protocol behavior.
A new flavor of IDSs specifically aimed at what is actually on...
