Security: IDS vs. IPS Explained

To maximize security, it is important for businesses to understand IDS vs. IPS, before choosing one of the two or using a combination. Layered security is the key to protecting any size network, and for most companies, that means deploying both intrusion detection systems (IDS) and intrusion prevention systems (IPS). When it comes to IDS vs. IPS, it is not a question of which technology to add to your security infrastructure - both IDS vs. IPS are required for maximum protection against malicious traffic. In fact, vendors are increasingly combining IDS vs. IPS technologies into a single box.

At its most basic, an IDS device is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services, data-driven attacks on applications, host-based attacks like unauthorized logins, and malware like viruses, Trojan horses, and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection, and stateful protocol analysis.

The IDS engine records the incidents that are logged by the IDS sensors in a database and generate the alerts it sends to the network administrator. Because IDS gives deep visibility into network activity, it can also be used to help pinpoint problems with an organization's security policy, document existing threats, and discourage users from violating an organization's security policy.

The primary complaint with IDS is the number of false positives the technology is prone to spitting out - some legitimate traffic is inevitably tagged as bad. The trick is tuning the device to maximize its accuracy in recognizing true threats while minimizing the number of false positives; these devices should be regularly tuned as new threats are discovered and the network structure is altered. As the IDS vs. IPS technology has matured in the last several years, it has gotten better at weeding out false positives. However, completely eliminating them while still maintaining strict controls is next to impossible - even for IPS, which some consider the next step in the evolution of IDS.

At its most basic, an IPS has all the features of a good IDS but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits in line with traffic flows on a network, actively shutting down attempted attacks as they're sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.

In addition, an IPS can respond to a detected threat in two other ways. It can reconfigure other security controls, such as a firewall or router, to block an attack. Some IPS devices can even apply patches if the host has vulnerabilities. In addition, some IPS can remove the malicious contents of an attack to mitigate the packets, perhaps deleting an infected attachment from an email before forwarding the email to the user.

Because IDS vs. IPS devices sit in different spots on the network, they can - and should - be used concurrently. An IPS product installed at the perimeter of the network will help stop zero-day attacks, such as worms and viruses, in their tracks - even the newest threats can be blocked with rigorous tuning. An IDS product installed inside the firewall will monitor internal activity, guarding against the ever-present insider threat, and lend greater visibility into security events, past and present.

Choosing a product that offers both IDS vs. IPS technologies can be the most cost-effective and efficient approach. "With one device that does IDS vs. IPS, you can enable IDS on part of the network and enable IPS on a different part. It's almost a virtual device," says Sanjay Beri, senior director of product management at Juniper Networks, an IDS vs. IPS network infrastructure vendor based in Sunnyvale, Calif.

While both IDS vs. IPS have quite a few similarities, it is their differences that act as the decisive factor in whether organizations choose to work with IDS vs. IPS or a combination solution. 

• IDS vs. IPS Similarities

The two IDS vs. IPS solutions are similar in terms of monitoring traffic, networks, and user activity across servers and devices. Both IDS vs. IPS solutions first alert users upon threat detection. Both IDS vs. IPS learn to identify suspicious user behaviors and reduce false alerts. Lastly, both IDS vs. IPS solutions maintain a record of monitoring actions. 

• IDS vs. IPS differences

Some key differences between the IDS vs. IPS lie in the higher level of protection offered by IPS, the higher response level of IPS that doesn’t just stop at threat detection, and the false positives that sometimes may occur with an IPS and result in a network shutdown. 

In a battle of IDS vs. IPS, if organizations want thorough security, there should never be a single winner. For a tighter IDS vs. IPS security measure, organizations should consider using both IDS vs. IPS as a combination instead of choosing one solution over another. Many IDS vs. IPS solution vendors understand this and offer Intrusion Detection and Prevention System (IDPs) that offers the benefits of both IDS vs. IPS systems.

Having isolated IDS vs. IPS capabilities can obviously not serve as well as having both detection and prevention capabilities, as it means that the organization is equipped to identify as well as mitigate a breach in security. It is important for security leaders within firms to have a true understanding of their organization’s needs before they select an IDS vs. IPS solution. While we recommend using a combination Intrusion Detection and Prevention System (IDS vs. IPS) important for a security leader to take into account the opinion of their own security department.