FireBreak is not an Intrusion Detection System (IDS).

The FireBreak Intrusion Suppression System employes uniquely effective anti-worm technology that fills a void left by IDS and IPS systems. It bridges the gap between the release of a new worm and the release of the updated definition files for your IDS or IPS system.

What is IDS?

Intrusion Detection Systems (IDS) monitor network packet flows by listening to all the traffic on a given network link. IDS sensors are typically dedicated high-bandwidth systems, but IDS sensors may also reside on a variety of other systems. For example firewalls or antivirus products might be equipped to feed data to an IDS system.

Hardening Internal Networks against Worms

left drop quote

At best, an IDS can notify administrators of the presence of a problem after that problem has occurred - which may or may not be useful. right drop quote

--Kerry Thompson (LOOP August 2, 2004)

How does IDS help stop worms?

Intrusion Detection Systems attempt to identify patterns in network activity which indicate malicious access attempts called "cracking" or "hacking." IDS provide an important part of a defense-in-depth strategy, allowing suspicious activity to be detected even if it originates inside your network. However, IDS are not particularly effective at combatting the spread of a modern worm or bot.

Layered Defense graphic

How effective is IDS in the battle to stop worms?

IDS systems cannot always distinguish legitimate activity from malicious activity, and must typically be "tuned" to reduce the number of false positive indications of cracking activity. Tuning also reduces their sensitivity, allowing some malicious activity to pass unnoticed, to "slip in under the radar."

Although some IDS systems are able to detect certain types of worm activity, they typically also rely on "signatures" which identify the pattern of activity of a particular worm, and therefore they may not recognize a new worm until new definitions are developed and deployed to the distributed IDS system.

IDS systems are typically passive monitoring systems, and don't actively impede the spread of a worm.

Finally, IDS systems listen to every packet on your network, and generate a tremendous amount of alert data, even when "properly tuned". The sheer volume of the alert data -- including many false positives -- makes it difficult to deploy and expensive to manage IDS systems on a large network. Rollout of an IDS system can take many months.