Choosing scalable intrusion detection solutions

If you're considering adding an IDS/IPS, choosing the right one can be quite a task, especially if you expect your business and network to grow. Here's how to make the best choice.

If you think you don't need an Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) because you have a firewall, think again. The purpose of a firewall is to block access to specific ports. A pure firewall has no way of detecting whether traffic to a particular port is legitimate or part of an intrusion attempt.

For example, if you allow incoming traffic access to port 80 so those outside the local network can connect to your Web server, an attacker can use port 80 to attack the Web server. An IDS can distinguish between the legitimate connections to your Web server and the attempted attack by comparing the signature of the traffic to a database of known attack signatures.

Tips in your inbox
TechRepublic's free Strategies that Scale newsletter, delivered each Tuesday, covers topics such as how to structure purchasing, when to outsource, negotiating software licensing or SLAs, and budgeting for growth.
Automatically sign up today!

But if you’re considering adding an IDS/IPS, choosing the right one can be quite a task. There are many IDS/IPS solutions on the market, ranging from simple and free to complex and expensive. And if you’re expecting your business and network to grow over the next few years, you want to select a product that will continue to work for you as it grows. Let’s look at some factors that affect the scalability of an IDS/IPS solution.


First, you need to decide whether you want and need an Intrusion Prevention System or just an Intrusion Detection System. What’s the difference? An IDS, as its name implies, detects that an intrusion is occurring and can usually send you an alert to notify you. What you do about it is up to you. An IPS is configured to respond to an attempted intrusion without your intervention. For example, if it detects a suspected intrusion, it can automatically shut down the port that’s involved, or block all subsequent traffic from the suspect IP address.

The IPS provides for a faster reaction and thus less likelihood of damage occurring due to the intrusion. On the other hand, it can also result in disruption of legitimate network traffic in response to a "false alarm."

Open source vs. commercial

One decision you’ll be faced with is whether to implement an open source freeware IDS/IPS or buy a commercial solution. The obvious advantage of the former choice is monetary. If your business is small and the budget is tight, you might not be able to afford the best commercial IDS/IPS products. In that case, your most cost effective solution might be to use a freeware solution now and move up to a commercial solution later, as the business and your revenues grow.

One of the most popular open source IDS/IPS options is Snort from Sourcefire. It has a large base of community support. It can do real-time traffic analysis and logging and will detect many different types of attacks, including stealth port scans, CGI attacks, OS fingerprinting, SMB probes and others. You can extend its detection capabilities through the use of plug-ins. Snort’s code is also used in some commercial IDS appliances. Snort was originally developed for UNIX/Linux but has been ported to Windows.


If you decide to use Snort, be sure to install version 2.4.3. or later, which fixes a security vulnerability recently reported in previous versions. See for more information.

Although it is a full fledged IDS/IPS, Snort is often referred to as a "lightweight" IDS/IPS. When you’re ready to move up to a more sophisticated and robust solution, there is an abundance of commercial products available. Some of the most popular include:

ul type=disc>
  • Internet Security Systems (ISS) RealSecure Network
  • NFR Sentivist IDS and IPS appliances
  • McAfee's Entercept
  • GFI LANGuard S.E.L.M.
  • Cisco Secure IDS appliance
  • Some scalability-specific questions you’ll want to ask before purchasing a commercial IDS product include:

    • Is the product extensible? Can you add modules for management, reporting, etc. that may be required as the network grows?
    • For network-based IDS/IPS, are there limitations on the number of machines that can be protected?
    • Do you have to purchase additional licenses if you add machines to the network?
    • Does it work with switched LANs?

    Host-based vs. network

    IDS/IPS solutions are often divided into two categories: host-based (HIDS) and network-based (NIDS) systems. There are advantages and disadvantages to both. A host-based system is installed on and protects a single machine. Host-based products are usually more platform-specific (that is, they’re made to run on a particular operating system). Network-based products can protect computers on the network that run different operating systems.

    A network-based IDS usually needs to be installed on a system with a network interface that runs in promiscuous mode, so it can capture packets that travel on the network which don’t originate with or have a destination of the local machine on which the IDS is installed.

    A host-based IDS (or agent software) must be installed on every individual computer that you want to protect. Host-based solutions tend to be superior at detecting attacks that originate on the local network (insider attacks); both types of IDS are good at detecting attacks from outside the local network.

    Tripwire, which runs on Linux and is included in the Red Hat Linux package, is a popular host-based IDS. Snort, discussed earlier, is a network IDS.

    It is entirely possible, and often desirable, to combine network-based and host-based IDS products as part of a multi-layered approach to intrusion detection and prevention.

    As part of your scalable IDS plan, you may want to implement one type first and add the other later. If the budget is a big issue, you may want to deploy the network-based IDS first and add the host-based IDS when you can afford it. If security takes top priority, you may prefer to install the host-based IDS first since blocking intrusions at the workstation or server can provide more effective containment.

    Managed intrusion detection service

    We’re hearing more and more about managed services, so it should come as no surprise that companies are now offering managed intrusion detection services. ISS, in addition to making the RealSecure Network software for appliances, offers a managed IDS/IPS service.

    A managed service can be a very scalable solution, since you don’t make an investment in hardware or software that you’ll later outgrow and most service companies can easily handle the greater load as your business grows.