Every network configuration plan should include ongoing monitoring and testing of the environment. Many organizations use both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) software to assist in identifying and protecting the environment against malicious activity.
IPS software attempts to block specific activity and signatures of malicious activity, while IDS is used to log traffic activity that can be mined for reports and alerts. In cases where a specific type of traffic can be identified (for example, all traffic from a specific geographical region), IPS can be an effective approach to completely blocking that activity from impacting a network. IDS is important for monitoring potential malicious activity and helping with forensic investigations to determine the origin and extent of activity.
Both IPS and IDS need to be fine-tuned and monitored over time. When setting IPS blocking rules, careful consideration should be taken to ensure that only intended activity is being blocked and legitimate users are not prevented from accomplishing their tasks. IDS has the potential for false positives, so care should be taken to fine-tune and monitor activity signatures, as well as regularly updating those signatures to detect new vulnerabilities. When used together, IDS logs provide the ability to detect malicious activity that is then added to the IPS blocking rules to protect against any additional undesired activities.
In addition to IPS and IDS monitoring, network vulnerability and penetration testing should be performing regularly, both internally and externally. Scanning address blocks can help find issues on neglected servers or alert you to the new security vulnerabilities. Finding security holes early allows for issue correction before systems are breeched.