MVP Article of the Month

Network Perimeter Detection and Protection with IDS and IPS

Protecting today’s network is no easy job. Every day you read about the latest worm, virus, hack, and exploit aimed at disabling servers, blocking Internet access, destroying data, and stealing proprietary company and customer information. How can we possibly keep up with these threats and still perform our jobs of installing, maintaining, and optimizing computer systems and networks to improve the corporate bottom line?

One approach to staying on top of things is to use an Intrusion Detection System (IDS) and Intrusion Protection System (IPS) devices throughout the network. An IDS and IPS-enabled devices can detect and prevent malicious code and commands from successfully compromising workstations, servers, and network connectivity.

An IDS is a device or agent that passively listens to traffic arriving and moving through the firewalls, routers, and switches, and to traffic terminating at workstations and servers. An IDS can use a number of methods based on signatures, pattern matching, or heuristics to determine what are “good” and what are “bad” communications. When the IDS detects a “bad” communication, an alert can be logged and sent to a database, a pager, an e-mail address, or a mobile phone. The network, firewall, or security administrator can then review the nature of the events triggering the alert.

In contrast to the passive nature of an IDS, an IPS takes intrusion detection to the next level. The IPS takes action based on the type of “bad” communications it detects. The IPS can stop the dangerous communication, contain it, throttle it, and even fight back against the perceived attacker.

The future of IPS and IDS devices is likely to be wrapped up in what has been termed Unified Threat Management (UTM) devices. UTM devices can be placed at multiple network perimeters to help protect workstations and servers from both known and unknown attacks. Microsoft Internet Security and Acceleration (ISA) Server 2004 is a good example of a UTM. The ISA Server firewall can detect multiple attacks right out of the box and can be easily enhanced with additional software designed to work with ISA Server to make it a formidable IPS and IPS UTM box. Third-party IDS and IPS UTM devices also support host-based agents that can extend this protection at the host level.

Regardless of the implementation, no network security professional can ignore the importance and impact of the evolving IDS/IPS scene. IDS/IPS systems are increasingly mission-critical components in your in-depth defense strategy.

Dr. Thomas W. Shinder is a 10-year computer industry veteran who's worked as a trainer, a writer, and a consultant for major entities, including Microsoft, FINA Oil, Lucent Technologies, Maersk Sealand, and the U.S. federal government. Shinder is an active member of the Microsoft security community, and his efforts have earned him the standing of Microsoft MVP. Check out more of Shinder's work at