Meet Kelly, our golden retriever/yellow labrador retriever mix. From a distance, she looks cute and fluffy like a dog who loves to play frisbee. Once you have come within the area she deems as hers or you approach too closely to her pack, she will let you know. Kelly also does a great job letting us know if someone is dropping off a delivery or when the trash is being picked up. She serves as our intrusion prevention and intrusion detection system.
In the cyber world, we have two concepts: intrusion prevention systems (IPS) and intrusion detection systems (IDS). Some systems use an IPD, an IDS, or a combination system, like we have in Kelly. There are reasons for wanting one over the other and it all depends on the system being protected.
Kelly acts as an IPS when we are hiking as a pack. She has what she feels is an acceptable distance between her pack and everyone else. When someone starts approaching the edge of that distance, she prevents them from advancing further. She achieves this by taking an aggressive stance, raising her hackles, and rolling a deep, low growl. No one seems to want to test her on this point. (We try not to let things get to this point, by stepping off the path well before anyone gets that close to us on a trail. Remember risk mitigation?) An IPS is intended to keep unauthorized users from accessing a system.
An IDS sends an alert when an unauthorized user accesses the system. It does not prevent the intrusion, but signals that one has occurred. For some systems, it is impractical or unnecessary to prevent all unauthorized access, but they do need to be noted. This is what the IDS does. The IDS allows unsanctioned access, but sends a notification and tracks the user's activities closely. On Day 44, Honeypot Ada was introduced. She works nicely here. A honeypot will keep an intruder busy while the system defenders investigate and possibly back trace them.
There are some systems where a combination of IPS and IDS are preferred. In these systems, the IPS reduces the likelihood of someone gaining access to the system. If they manage to do so, an alert is sent to notify the defense team (blue team) that an uninvited guest has arrived. If they have deployed a honeypot, this will buy them time to track their visitor. This is a more robust option. It requires much more effort and coordination to set up and maintain. They are also more expensive. (Back to the constant trade-offs we face in cybersecurity.)
Comments