Comparison of Firewall, Intrusion Prevention, Detection and Antivirus Technologies in Organizational Network Architecture

in these days i'm reading about intrusion prevention/detection systems.When reading i really confused in some points.

First, the firewall and antivirus technologies are known terms for years, however now IDS becomes popular.

My question includes:

  • in organizational network architectures when/where do we use these systems ?
  • What are the benefits of using each ?
  • Does Firewall contains all these others?

If you give me some examples, it will help much.

Thanks.


Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) are a rather broad topic. As such, my answer here is far from comprehensive.

The types of IDS include network and host based.

Network based IDS, such as SNORT, analyze and log network traffic based on a set of rules. These rules would match potential vulnerabilities, thus potentially providing advance warning of attempted intrusion and forensic data after the fact.

Host based IDS include software such as AIDE, which compare hashes of the files on the filesystem on a recurring basis. This would allow someone to monitor changes on the system and identify unauthorized changes.

Central logging could arguably be part of your host based IDS solutions. Central logging enables control and auditing of your logs in a central place. Additionally, keeping logs in a central place minimizes exposure and allows an additional audit trail, in case a system is compromised and the logs are no longer trusted.

Packet filtering (firewalling) is a security mechanism for controlling traffic to and from your network. Firewalls are not IDS.

A well run IT infrastructure includes many of these technologies and many professionals would not consider them optional.


A few things I want to add (IMO, Warner's excellent answer already covers most of the points):

Firewalls separate your network into areas with different levels of trust:

  • Company external/internal
  • Host external/internal
  • Certain IP addresses in a whitelist/blacklist/neutral
  • ...

IDS on the other hand, are often used to distinguish valid traffic from attacks, although they all originate from the same zone. A naive assumption that is often made by companies, is that all traffic that originates from the company's LAN can be trusted. But this leads to the problem, that even a small security breach, which seems to be harmless its surface (e.g. it allows the attacker to send certain "harmless" requests from the company's web server to the LAN) can easily become a much larger problem. So IDS rather assume, that the attacker is already somewhere inside the network, and look for abnormalities.

One more thing about IDS: Listening on one point of your network is often not enough! Due to the nature of switches, not every attack spreads through the entire network. So an optimal IDS would monitor (theoretically)

  1. all hosts
  2. all network traffic between any two points.

It's also useful to monitor the state of switches (to defend against attacks like port stealing).