Understanding the differences between IDS and IPS

When the Internet first started to gain popularity, companies started to realize that they needed to implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP and POP3 traffic. Ports corresponding to these common services must remain open in order for those services to function properly. The problem is that hackers have learned how to pass malicious traffic through ports that are commonly left open.

In response to this threat, some companies started to deploy intrusion detection systems (IDS). The idea behind an IDS is that it monitors all of the traffic that makes it through your firewall, and looks for any traffic that might be malicious. The idea sounds great in theory, but in reality, IDS systems really don't work that well for several reasons.

Early IDS systems worked by looking for any traffic that was out of the ordinary. When such traffic was detected, the activity was logged and an administrator was alerted. There are a few problems with this though. For starters, looking for abnormal traffic patterns produces a lot of false positives. After a while, the administrator becomes so annoyed with receiving constant false alerts that they start to ignore the alerts altogether.

The other major flaw in IDS systems is that they only monitor traffic. If an attack i...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Engineering Desktop virtualization network requirements Preventing hacker attacks with network behavior analysis IPS Internal cloud computing on the cheap: Free automated provisioning? Improved storage performance without adding more disk Troubleshooting -- 'Network Know-How' Chapter 17 Windows Server 2008 IP routing configuration: Static and dynamic RIPv2 Understand Windows tracert output to troubleshoot network connectivity Using tracert and TTL to troubleshoot network connectivity problems 10 Gigabit Ethernet interconnect solutions: Investigate carefully before choosing Optimization of the data center with 10 Gigabit Ethernet Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

s detected, it's up to the administrator to take action. In a way this might be considered to be a good thing though. After all, since IDS systems produce a lot of false positives, would you really want them to take action against legitimate network traffic?

Over the last few years, IDS systems have evolved considerably. Today IDS systems work more like anti-virus programs. An IDS system contains a database of known attack signatures. The system constantly compares inbound traffic to the database and if an attack is detected then the IDS reports the attack.

These newer systems tend to be much more accurate than their predecessors, but the database must be constantly updated to remain effective. Furthermore, if an attack occurs and there is not a matching signature in the database, the attack may be ignored. Even if an attack is detected and confirmed to be a real attack, the IDS is powerless to do anything other than alert the administrator and log the attack.

This is where IPS systems come in. IPS stands for intrusion prevention system. An IPS is similar to an IDS, but it has been designed to address many of an IDS's shortcomings.

For starters, an IPS sits between your firewall and the rest of your network. That way, if an attack is detected, the IPS can stop the malicious traffic before it makes it to the rest of your network. In contrast, an IDS simply sits on top of your network rather than in front of it.

IPS systems also differ from IDS in the way that they detect attacks. There are a wide variety of IPS systems available and they don't all use the same techniques, but generally speaking, IPS systems tend to rely on packet inspections. The IPS will examine inbound packets and determine what those packets are really being used for before making a determination as to whether or not to allow those packets to make it onto your network.

As you can see, there are some important differences between IDS and IPS systems. If you are shopping for an effective security device, your network will usually be more secure if you use an IPS rather than an IDS.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.