Skip navigation

Intrusion Detection and Prevention Systems

IDS / IPSA multi-layered approach is key to protecting any size network. Many organizations are turning to both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) for their security needs.

From a high-level view, an IDS device is passive. It watches traffic inside the DMZ or firewall and matches it to signature-based or anomaly-based pre-configured rules. If it detects anything suspicious, the IDS sets off an alarm alerting administrators and records the event in a database. IDS devices can detect malicious intent that firewalls typically miss, including (DoS) Denial of Service, unauthorized logins, and various malware. IDS devices often generate numerous false-positives without tuning, and some harmless traffic typically gets labeled as bad which increases management needs.

An IPS has all the capabilities of IDS, with the added benefit of being active and able to stop suspect traffic from being transmitted. IPS devices are installed in-line between two network devices and police data as it moves from one point to another. Terminating a session and blocking IP addresses, are the most common ways IPS devices protect applications and services. They are also capable of reconfiguring firewall or router security controls to deter an attack. But, because IPS are in-line appliances, if it fails, needs to be moved or requires software maintenance the link has to be disconnected requiring network downtime.

The Gigamon revolutionary GigaVUE® product suite provides a more efficient, consolidated and cost-effective method of deploying IDS and IPS devices. GigaVUE can help to maximize productivity of IDS tools and give fault-tolerant properties to in-line devices like IPS.

GigaVUE filtering technology lends its features to IDS by helping to fine-tune traffic, eliminating the many logged false-positive alarms. The aggregation and replicating capabilities inherent to GigaVUE allows either one IDS to receive multiple links and SPAN/mirror port traffic, or to duplicate a single connection to a group of IDS tools, maximizing dollars spent and reducing overhead associated with device management.    

With GigaVUE bypass functionality, IPS devices can easily be deployed in a fault-tolerant configuration. Once in place the IPS can be connected, removed, powered-down or upgraded without any effect to the in-line link traffic. Bringing a link down to service an IPS, to upgrade signatures, or to move it from one segment to another are things of the past.

The modular based construction of GigaVUE Traffic Visibility Nodes also means that different topologies, traffic rates (10/100/1000Mbps through 10Gbps), and multiple bypass modules can be deployed simultaneously. Get the most out of your IDS and IPS appliances by deploying them with Gigamon to ensure seamless, controlled delivery of traffic to your security devices.