Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyber attacks. Intrusion Prevention Systems (IPS) also analyze packets, but can also stop packet delivery based on the type of attack it detects – helping to stop the attack.
How intrusion detection systems (IDS) and intrusion prevention systems (IPS) work
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both parts of the network infrastructure. IDS / IPS compares network packets with a cyber threat database containing known signatures of computer attacks and flag any matching package.
The main difference between them is that IDS is a monitoring system, while IPS is a control system.
IDS does not modify network packets in any way, while IPS prevents packet distribution based on packet content, such as how a firewall prevents traffic through the IP address.
- Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that attackers are using known communication to infiltrate or steal data from your network. IDS systems compare current network activity with a known threat database to detect certain types of behavior such as security breaches, malware, and port scanners.
- Intrusion Prevention Systems (IPS): live in the same network area as a firewall, between the outside world and the inside network. IPS actively denies network traffic based on a security profile if this package represents a known security threat.
Many IDS / IPS vendors have integrated newer firewall IPS systems to create a unified threat management (UTM) technology that combines the operation of these two similar systems into a single unit. Some systems offer IDS and IPS operation in one unit.
Differences between IDS and IPS
Both IDS / IPS read network packets and compare content with a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that do not take action on their own. IPS is a control system that accepts or rejects a rule-based package.
IDS requires one person or another system to look at the results and determine what action to take next, which may be a full-time job, depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool that CSIRT uses as part of their investigations into security incidents.
The purpose of the IPS, on the other hand, is to capture dangerous packets and remove them before they reach their target. It is more passive than an IDS, simply requiring the database to be regularly updated with new threat data.
- IDS / IPS are as effective as their cyber attack databases. Keep them up to date and prepare to make manual adjustments when a new attack erupts in nature and / or the attack firm is not in the database.
Why IDS and IPS are critical to Internet security
Security teams face an ever-increasing threat of data breaches and compliance fines as they continue to struggle with budget constraints and corporate policy. IDS / IPS technology covers specific and important jobs of an internet security strategy.
- Automation: IDS / IPS systems are mostly useful, which makes them ideal candidates for use in current security shelves. IPS ensures peace of mind that the network is protected from known threats with limited resource requirements.
- Compliance: Part of compliance often requires proving that you have invested in technologies and systems to protect data. Implementing an IDS / IPS solution checks a box on the compliance sheet and addresses a number of CIS Security checks. Most importantly, audit records are a valuable part of compliance investigations.
- Policy Implementation: IDS / IPS are configurable to help implement internal security policies at the network level. For example, if you only support one VPN, you can use IPS to block other VPN traffic.