Understanding IDS, IPS, and UTM: Differences and Deployment Considerations

In our last webcast we explored the legacy issues of the crazy acronyms IDS and IPS and their similarities to UTM software modules. Everyone likes primers and simple descriptive definitions, so let’s think about them together.

IDS

An Intrusion Detection System (IDS) is the most obvious way to detect unwanted activity; it relies on signatures and other detection methods provided by vendors. What it looks for varies per network but generally includes unusual traffic—traffic you do not want on the network, whether it is policy/abuse (IM, gaming, etc.) or the latest malware.

As in real estate, location, location, location matters—not the rack position, but the part of the network the IDS monitors. Monitoring the ingress/egress points shows inbound and outbound traffic (after firewall policy approval) but may not reveal traffic between remote offices and core components.

You generally do not want to inspect traffic on the firewall’s public side. Monitoring all traffic on internal switches (LAN or DMZ) lets the IDS see user activity or key servers, but it will miss what happens elsewhere in the network. Unless you have unlimited resources, you cannot monitor everything, so the key decision is which traffic is most important and which subnet provides the best visibility.

IDS can passively monitor multiple subnets and see traffic that IPS or UTM never sees, such as traffic that stays entirely within the LAN or DMZ. Consequently, an IDS can alert on a desktop attacking another desktop on the LAN—something an inline IPS or UTM would miss.

IPS vs. IDS

IPS (Intrusion Prevention Sensor) is essentially an IDS that can act inline on current traffic. This sounds great, and it mostly is. Because IPS and UTM must be inline, they only see traffic crossing the protected zone. IPS can drop, reset, shun, or run custom scripts immediately when a signature matches. If an IPS discards legitimate traffic, the security team may be held responsible for revenue loss. When you leverage the distinguishing components of an IPS, the device can be an excellent tool.

Ensure your IPS can “fail open”; if any part of the appliance fails—even the chassis losing power—the device should continue passing traffic. No one wants a brick that blocks data flow.

Only a small fraction of signatures are allowed to take action on traffic. To reduce false‑positives, you should define a very clear protected scope (home network or segment) so directional signatures are more effective. You also need to spend considerable time reviewing alerts and event output to ensure actionable signatures work as expected. Investing time in each signature update to examine vendor‑chosen actionable signatures and their impact on your traffic yields the best results, especially in environments where firewalls are not “open” between segments.

Software‑Based Modules in UTM Devices

This brings us to the software‑based modules inside Unified Threat Management (UTM) devices. The key point about these devices is their limitation: they can only be placed where the UTM itself resides, typically at the Internet gateway or the access‑control point between LAN and DMZ. In this position, the UTM cannot see all system‑to‑system traffic inside the DMZ or LAN, only traffic that traverses that segment.

Moreover, a UTM is not a dedicated platform, so it tends to have higher false‑positive rates (though this is improving). Under high CPU or memory utilization, they will disable software modules to preserve the device’s primary firewall function. This is an important reason to justify the request for dedicated devices. If you have such a device, we would say it’s better than having no IDS at all. Ask your vendor to verify that logical traffic is inspected after firewall policies, and immediately alert yourself if the device enters a save‑mode or shows sustained high resource usage.

In Summary: Comparing IDS, IPS, and UTM

None of these three solutions is a “set‑and‑forget” device. New malware, exploits, and detection vectors appear daily. Regardless of which you choose, you will need to regularly maintain signature events/alerts, update policies, and especially manage IPS actions. Updates can be applied automatically, but they do not eliminate the need for human review. Allocate time each day to check your devices, disable signature groups that have no relevance in your environment, and fine‑tune the remaining noise.

All the cautionary statements we have written are intended not to scare you. Conducting traffic inspection in your environment is a good way to understand network behavior.

Original source: https://www.alienvault.com/blogs/security-essentials/ids-ips-and-utm-whats-the-difference

Article: http://pub.intelligentx.net/ids-vs-ips-vs-utm-whats-difference

Discussion: Please join the Knowledge Planet or the Red Circle 【Chief Architect Circle】