Easy Read Time: 3 Minutes

Intrusion Detection and Prevention Systems (IDPS): Best tools

An intrusion detection and prevention system monitors network traffic for signs of a potential attack. When it detects potentially harmful activity, the action is taken to stop the attack. This often takes the form of dropping malicious packets, blocking traffic in the network, or resetting connections. The IDPS also usually sends an alert about the potentially malicious activity to the security administrators. Today’s IDPS systems typically use two main approaches to determine when an attack may occur. Detection based on signatures scans for signs of the known vulnerabilities. When it detects behavior correlated with an attack that has already been established, it takes steps to stop the attack. The second technique for identifying attacks is the detection of anomalies on a statistical basis. An IDPS using this technique compares current network activity with that which is normal. It will send out a warning or take other preventive measures when it detects an aberration.

The appliance market for network intrusion detection and prevention (IDPS) is composed of stand-alone physical and virtual appliances that inspect specified network traffic either on-site or in the cloud. They are also installed on the network to review traffic that has passed through perimeter monitoring systems, such as firewalls, protected Site gateways, and secure email gateways. IDPS devices are deployed in-line and reassemble the network traffic on a full-stream basis. They provide detection through several methods — like signatures, protocol detection of anomalies, behavioral monitoring or heuristics, integration of advanced threat defense (ATD), and threat intelligence (TI). IDPSs may also use various techniques when deployed in-line to detect and block attacks that are identified with high confidence; this is one of the primary advantages of this technology. IDPSs of the next generation have evolved in response to advanced targeted threats which may evade IDPSs of the first generation.

Intrusion Detection and Prevention Systems (IDPS) – Gartner magic quadrants

Some of the vendors or products that scored well in Gartner surveys are covered in this article.

The descriptions of some of the best IDPS tools are as follows:

Cisco Firepower NGIPS

Cisco’s Next-Generation Intrusion Prevention System supports large enterprises with a capacity of 50 Mbps up to 60 Mbps of applications and physical and virtual devices for remote branch offices. NGIPS provides AMP Threat Grid integration, a URL-based security intelligence, and is supported by the security research team from Talos. More contextual data can be seen in your network and your security can be improved through the Firepower Management Center. Display apps, host profiles, file trajectory, sandboxing, information on the vulnerability, and visibility at the device level OS. NGIPS receives new policy rules and signatures every two hours, so you’re always up to date on security. By separating actionable events from noise, you can use the NGIPS automation to increase operational efficiency and reduce overhead. You can also prioritize threats to your staff and enhance your security through network vulnerability-based policy recommendations. It can be deployed at the perimeter, at the distribution/core of the data center, or behind the firewall to protect mission-critical assets, guest access, and connections to the WAN. This NGIPS can also be used in the network For an inline inspection or passive detection.

https://www.cisco.com/c/en/us/products/security/ngips/index.html#~stickynav=2

McAfee NSP

The McAfee system security Platform (NSP) is a network security and intrusion prevention solution that defends networks and data in data centers, cloud, and hybrid business environments wherever they reside. It can support up to 32 million connections using intelligence on a single appliance to locate and block advanced targeted attacks on the network. It offers aggregated 40 Gbps performance; the total number of connections ranges from 40,000 on the 100 Mbps appliance to 32 million on the 40 Gbps appliance. It offers intelligent bot analytics, improved endpoint application monitoring, flow data analysis, self-learning DoS profiles, and an analytics function for identifying potentially malicious hosts.

https://www.mcafee.com/enterprise/en-us/products/network-security-platform.html

Trend Micro TippingPoint

TippingPoint detects and blocks malicious traffic, avoids lateral malware transfer, guarantees accessibility and durability to the network, and increases network performance. With no IP or MAC address, it can be introduced into the network to screen out malicious and undesirable traffic effectively. Digital Vaccine security threat intelligence filters cover the entire footprint of vulnerability, not just specific exploits. The solution offers an inspection of the network traffic from 250 Mbps to 120 Gbps. This can be used in large and very large businesses and has an inspection capacity of 40 Gbps in a factor of 1U form but can be stacked to produce 120 Gbps in a factor of 3U form. TippingPoint solutions are provided as hardware or virtual platforms and provide real-time, vulnerability protection through Automated Vaccine Threat Intelligence.

https://www.trendmicro.com/en_us/business/products/network/intrusion-prevention.html

NSFocus NGIPS

The NSFocus Next-Generation Intrusion Prevention System (NGIPS) protects against any threat that blocks intrusions, prevents breaches, and protects your assets or resources. It uses a multi-layer approach to define and fix known, zero-day, and advanced persistent threats and protect against ransomware, worms, spyware, back-door trojans, data theft, brute force cracking, network attacks, scanning/probing, and web threats. Many Fortune 500 enterprises, mobile providers, major financial institutions, small and medium-sized businesses, and service providers also already using this product. It supports the processing capacity of up to 20 Gbps of application-layer data. sNSFocus Virtual sandboxing tool can identify, evaluate, and mitigate known and advanced persistent threats. NSFocus IPS systems are available as physical and virtual machines.

Darktrace Enterprise Immune System

The Darktrace Enterprise Immune System is a Cyber Defense machine learning and Ai tool. This iteratively learns a particular “life pattern” for each device/system and user on a network, correlating these insights through detecting new risks that may otherwise go unnoticed. Darktrace does not find itself to be an IPS or IDPS solution and Gartner acknowledges that this term does not suit the product. The analyst firm, however, has named it a vendor to watch in this market area. Darktrace can be distributed across all verticals in large business environments. The Darktrace vSensor collects only relevant metadata, sending 1% of network traffic to the master device. This machine learning system is available as a software and hardware appliance.

https://www.darktrace.com/en/products/enterprise/

https://www.darktrace.com/en/technology/

References:

https://www.esecurityplanet.com/products/top-intrusion-detection-prevention-systems.html#mcafee