There are numerous network security devices and tools available to aid in computer network defense, and these tools are often relied upon for protecting against increasingly sophisticated, stealthy, and damaging attacks. When acting alone, the current generation of security devices has an exceedingly difficult time providing an effective defense against such threats, and the situation is particularly grim for targeted or novel attacks.
It has been demonstrated that a number of interoperable systems must be implemented to fully protect a network; a strategy known as Defense in Depth. Due to the multitude of security devices and device categories available, it can be very difficult to identify the correct tools for meeting security goals. Using the Defense in Depth strategy will require an understanding of the interactions between devices occuring within the network.
Due to their complexity and importance to information security, two security systems, Network Intrusion Detection/Prevention Systems (NIDPS) and Security Information and Event Management systems (SIEM), will be explored in this paper. Both have multiple functionalities, including threat-detecting capabilities, and are widely considered essential tools for adequate network defense, particularly in the goal of fortifying valuable assets in the face of an advanced threat. Understanding these systems is vital for any security operation tasked with defending significant networks.
2 Network Intrusion Detection/Prevention Systems
2.1 IDPS Definitions
Although Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) have been grouped together here (IDPS), there are distinctions between them. On the most basic level, both will monitor the network and try to identify malicious activity entering or traveling within the network; the IPS just has the additional functionality of automatically blocking such activity because it usually sits inline with traffic flow. Other than this, they essentially work via the same mechanism and share similar goals.
There four general types of IDPS: Network-Based, Host-Based, Wireless, and Network Behavior Analysis (NBA) [NIST]. In practice, most products are either Network-Based (NIDPS) or Host-Based (HIDPS).
HIDPS observes only a single host (in many cases a vital device such as a database server), which gives them the benefits of seeing unencrypted traffic and having direct input to the machine they are on. Wireless systems have many unique vulnerabilities and Wireless IDPS will not be discussed in this report.
2.2 NIDPS Goals
Some vendors have begun to...