Need for Intrusion Detection System (IDS) or Intursion Prevention System (IPS)

Incident response
Intrusion management
Network security
Dear Colleagues: Can a well-configured firewall replace or be a substitute for an Intrusion Detection System/Intrusion Prevention System (IDS/IPS)? My client is currently a bank with several branches and units connected online. It currently has only a firewall but no IDS/IPS yet. What are the associated risks for having only a firewall? Please advise. Thank you.

Answer Wiki

Thanks. We'll let you know when a new response is added.

First as a Bank they are not in compliance with PCI requirements if they do not have an IDS system. They really need to have an IDS.

As for the first part of your question, can a well configured firewall act as an IDS, it depends on the Firewall and your IDS needs. Most Firewalls include some IDS signatures, like the PIX. Checkpoint includes thousands, and you can set triggers and alarms to act as an IDS.

Personally I prefer a good Protocol Analyzer and a Laptop.

I use a an older HP laptop with a promiscuious NIC, and Etherpeek NX 2.0 and a SPAN port on our CAT5000. I build custom signatures to filter out whatever traffic I want to see.

You would be surprised at how well it can work.

But for a Bank, I would use a COTS tool, like Blink, or Enterasys Dragon.

Discuss This Question: 7  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TR1947
    Your question is equivalent to a bank asking whether they need a burglar alarm because they have a guard at the front door. Any bank without a burglar alarm would lose its insurance, no matter whether they have a guard at the fornt door or not. An IDS acts to detect problems when the firewall is breached or there is a problem with intenal security. A firewall only defends gainst access problems from one source and for only a limited number of causes.
    0 pointsBadges:
  • SteveRG
    Firewalls will control which applications to allow, but in general will not provide a good detail of what that traffic really is. Just because you only let in port 80 for web traffic does not mean that malicious traffic couldn't also arrive via port 80. 99% of all firewalls out there can't dig deep enough into the packet to determine if that traffic is abnormal. That's where a good IDS pays for itself. Not to be a posterchild, but you should look at the Juniper ISG2000. This is not only a wire speed firewall, but has an IDS blade that can be added to allow for wire-rate IDS sensing and reporting in addition to firewalling. If you don't go with an all in one unit, be prepared to draft strategies as to what actions you would take if you were alerted of malicious traffic by a good IDS. It may seem like a bit of an expense up front, but the sense of mind a Bank (or any enterprise) would get from knowing that the traffic being allowed in was clean is a definite return on investment in saved manpower.
    0 pointsBadges:
  • Ajay42usa
    Firewalls and IDS/IDP work in different ways. Firewalls are used with a default deny all and specific policies are created to permit valid traffic. In case of IDS, by default all traffic is permitted except for those that matches certain signatures or anomalies. Firewalls are used when you want to restrict the traffic based on source/destination addresses and service ports, but the IDS/IDP are used to protect against known vulnerabilities in general. Though there are new products in the market that perform both the functions (like Juniper ISG series or Fortinet devices), in most organizations, these products address different group requirements. In my opinion, Firewalls meet the network security requirements and the IDS/IDP meets the risk control requirements. Also, most firewalls are only L2/3. Firewalls and IDP/IDS compliment each other. If you want to have only Firewalls, consider employing deep inspection capabilities or adding additional application (L7) firewalls.
    0 pointsBadges:
  • Layer9
    Sorry Alay, but I need to make a couple of clarifications here. You said Also, most firewalls are only L2/3. This is incorrect. Layer 2 filtering occurs on the local subnet, not at the perimeter. And filtering at Layer 3 would merely be an IP based ACL. Most perimeter based Firewalls operate at Layer 4, utilizing Stateful packet inspection and Layer 4 filtering. Many of these Layer 4 Firewalls, like the Cisco PIX, have limited IDS capabilities. Application Layer Firewalls, like Checkpoint Firewall 1, filter at Layer 7, and can perform many IDS functions, including custom signatures and triggered alerts. Like I said earlier, if your on the cheep, a good homemade IDS is a Laptop with a Protocol Analyzer will work nicely, assuming you have a perimiter switch capable of SPAN. But in an environment like a bank? Only a COTS IDS would be acceptable. Chris Weber P.S Which bank is this? I want to make sure my money's not in it, LOL.
    0 pointsBadges:
  • Develish
    Hello DY From your ID, can I assume your bank is somewhere in Africa? We are a small enterprise of about 200 people based in India. We recently upgraded from SonicWall firewall only setup to Fortinet Firewall + IPS setup. We have found a dramatic increase in the number of blocks of Intrusion events which we were previously completely unaware of. Added to this, since Forti includes an anti-virus, we have found a significant decrease in the virus entering in to the network, and hence reducing the load on our gateway level and server level AV. So a short reply to your question, from the business benefit standpoint -- YES!! Go for an IPS system (not just an IDS), you will benefit tremendously. The choice of replacing existing hardware with an "all-in-one" box or adding a transparent IPS is yours. Hope this helps. Kind regards
    0 pointsBadges:
  • Atomas
    Scary question! First make sure you get the FW and/or IDS-IPS suppliers provide you a demo session on their products (and fast). Sad to say, but if your customer is a bank and they rely on you, then you should be able to answer these questions. If not, make sure to hire a security specialist/consultant (and fast...). Second, any bank should not rely on their suppliers to protect themselves from intrusions/attacks: a good bank would check you closely and request reports/etc. You can read ISO17799 (but not necessarily limited to it) that can give you hints to make money with your customer, if they can't manage their security themselves. I'll stop here because we could write for hours... Dan CISSP, CISA, CCSA, CCNA
    0 pointsBadges:
  • Bobkberg
    There's not a lot I can add to the previous answers. I can tell you from experience that I like the Juniper ISG as well. One of my customers has an ISG 1000, and is purchasing an ISG 2000 with the IDS blade. Very nice product. But - to reiterate the primary point: YES, you need an IDS/IPS (although many of the latter are running in IDS mode). There are newer firewalls that are trying to incorporate IDS/IPS technology in their product. iPolicy is one, but I dislike their product for other reasons entirely, and as another posted noted, Checkpoint does a reasonable job. Good luck, Bob
    1,070 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: