Shulou(Shulou.com)06/01 Report--

This article mainly talks about "what is the difference between IDS and IPS". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what is the difference between IDS and IPS"?

1. * Detection system (IDS)

IDS is the abbreviation of "Intrusion Detection Systems" in English, which means "* detection system" in Chinese. Professionally speaking, it is to monitor the operation of the network and system in accordance with certain security policies, and find all kinds of attempts, behaviors or results as far as possible. to ensure the confidentiality, integrity and availability of network system resources.

Let's make an analogy-if the firewall is the door lock of a building, then IDS is the surveillance system in that building. Once the thief enters the building, or the insiders cross the line, only the real-time surveillance system can detect the situation and issue a warning.

Different from the firewall, the IDS*** detection system is a bypass monitoring device, which does not need to be connected to any link and can work without network traffic flowing through it. Therefore, the only requirement for the deployment of IDS is that the IDS should be attached to the link where all traffic of interest must flow. Here, "traffic of concern" refers to access traffic from high-risk network areas and network messages that need to be counted and monitored.

Generally speaking, the location of IDS in a switched network is as close as possible to the * * source and to the protected resource.

These locations are usually:

On the switch in the server area

On the first switch after Internet access to the router

On the local area network switch that focuses on protecting the network segment.

2. * Defense system (IPS)

IPS is the abbreviation of "Intrusion Prevention System" in English, which means "defense system" in Chinese.

With the continuous improvement of network technology and the continuous discovery of network security loopholes, the traditional firewall technology plus traditional IDS technology has been unable to deal with some security threats. In this case, IPS technology arises at the historic moment. IPS technology can deeply sense and detect the data flow, discard malicious messages to block * *, and limit the flow of abused messages to protect network bandwidth resources.

For IPS deployed on the data forwarding path, we can carry out in-depth detection of each packet (protocol analysis and tracking, feature matching, traffic statistical analysis, event correlation analysis, etc.) according to the pre-set security policy. If it is found that it is hidden in the network *, defense measures can be taken immediately according to the threat level of the *. These measures include (according to the strength of the treatment): alarm to the management center. Discard the message; cut off the application session; cut off the TCP connection.

After the above analysis, we can draw a conclusion that the office network needs to deploy IPS at least in the following areas, that is, the connection between the office network and the external network (entrance / exit); the front end of the important server cluster; and the internal access layer of the office network. As for other regions, they can be deployed as appropriate according to the actual situation and the degree of importance.

3. The difference and choice between IPS and IDS.

For starters, an IPS is a device located between the firewall and the devices on the network. In this way, if a * * is detected, IPS will block the malicious communication before it spreads to other parts of the network. The IDS only exists outside your network to play the role of alarm, not in front of your network to play a defensive role.

The method of detecting * * by IPS is also different from that of IDS. Generally speaking, IPS systems rely on the detection of data packets. IPS will examine the incoming packets, determine the true purpose of such packets, and then decide whether to allow such packets to enter your network.

At present, both professionals and ordinary users in the information security industry think that * detection system and * defense system are two kinds of products, and there is no possibility that * defense system should replace * detection system. However, the emergence of * * defense products has brought new confusion to users: under what circumstances should we choose * testing products and when should we choose * defense products?

From the point of view of product value: * the detection system focuses on the supervision of network security. The defense system is concerned with the control of behavior. Unlike the security policies that can be implemented by firewall products and * * detection products, * * defense systems can implement in-depth defense security policies, that is, they can be detected and blocked at the application layer, which firewalls cannot do. Of course, it is also impossible for * * detection products to do.

From the perspective of product application: in order to achieve the purpose of comprehensive detection of network security, * detection system needs to be deployed in the central point of the network, and all network data need to be observed. If the information system contains multiple logically isolated subnets, distributed deployment needs to be implemented in the entire information system, that is, a * detection and analysis engine is deployed in each subnet, and the policy management and event analysis of the engine are carried out uniformly to achieve the purpose of controlling the security status of the entire information system.

In order to achieve external defense, the defense system needs to be deployed at the edge of the network. In this way, all external data must pass through the * defense system in series, and the defense system can analyze the network data in real time and find that the behavior will be blocked immediately to ensure that the data from the outside cannot enter the network through the network boundary.

The core value of the detection system IDS is to understand the security status of the information system through the collection and analysis of the information of the whole network, and then to guide the establishment and adjustment of the security construction goal and security policy of the information system, while the core value of the defense system IPS lies in the in-depth analysis of data and the implementation of security policies. * the detection system needs to be deployed inside the network, and the monitoring scope can cover the entire subnet, including data from external sources and data transferred between internal terminals. * the defense system must be deployed at the network boundary to resist external *, and can do nothing about internal * behavior.

IPS can be understood as deep filewall.

At this point, I believe you have a deeper understanding of "what is the difference between IDS and IPS". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.