Understanding the differences between IDS and IPS

When the Internet first started to gain popularity, companies started to realize that they needed to implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP and POP3 traffic. Ports corresponding to these common services must remain open in order for those services to function properly. The problem is that hackers have learned how to pass malicious traffic through ports that are commonly left open.

In response to this threat, some companies started to deploy intrusion detection systems (IDS). The idea behind an IDS is that it monitors all of the traffic that makes it through your firewall, and looks for any traffic that might be malicious. The idea sounds great in theory, but in reality, IDS systems really don't work that well for several reasons.

Early IDS systems worked by looking for any traffic that was out of the ordinary. When such traffic was detected, the activity was logged and an administrator was alerted. There are a few problems with this though. For starters, looking for abnormal traffic patterns produces a lot of false positives. After a while, the administrator becomes so annoyed with receiving constant false alerts that they start to ignore the alerts altogether.

The other major flaw in IDS systems is that they only monitor traffic. If an attack is detected, it's up to the administrator to take action. In a way this might be considered to be a good thing though. After all, since IDS systems produce a lot of false positives, would you really want them to take action against legitimate network traffic?

Over the last few years, IDS systems have evolved considerably. Today IDS systems work more like anti-virus programs. An IDS system contains a database of known attack signatures. The system constantly compares inbound traffic to the database and if an attack is detected then the IDS reports the attack.

These newer systems tend to be much more accurate than their predecessors, but the database must be constantly updated to remain effective. Furthermore, if an attack occurs and there is not a matching signature in the database, the attack may be ignored. Even if an attack is detected and confirmed to be a real attack, the IDS is powerless to do anything other than alert the administrator and log the attack.

This is where IPS systems come in. IPS stands for intrusion prevention system. An IPS is similar to an IDS, but it has been designed to address many of an IDS's shortcomings.

For starters, an IPS sits between your firewall and the rest of your network. That way, if an attack is detected, the IPS can stop the malicious traffic before it makes it to the rest of your network. In contrast, an IDS simply sits on top of your network rather than in front of it.

IPS systems also differ from IDS in the way that they detect attacks. There are a wide variety of IPS systems available and they don't all use the same techniques, but generally speaking, IPS systems tend to rely on packet inspections. The IPS will examine inbound packets and determine what those packets are really being used for before making a determination as to whether or not to allow those packets to make it onto your network.

As you can see, there are some important differences between IDS and IPS systems. If you are shopping for an effective security device, your network will usually be more secure if you use an IPS rather than an IDS.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Engineering How to achieve server virtualization in your network Limit network energy consumption with computer cooling technologies Understanding remote scripting -- Managing Windows networks using scripts, part 9 Network mapping in Vista for Windows XP Recovering domain controllers after a server disk failure Recovering from a server disk failure: The shortcomings of NTBCKUP Enabling Windows Vista's Network Mapping feature on domain networks Prevent unauthorized USB devices with software restriction policies, third-party apps How to subnet: Subnetting calculations and shortcuts Using Windows Vista group policy to prevent unauthorized USB device use Network Security Monitoring Networking data visualization not just for pointy-headed bosses Visual Security Analysis -- 'Applied Security Visualization,' Chapter 5 SIEM platform secures university's open network Network forensics appliance gets storage boost and 10 GbE support Tracking NetFlow over MPLS helps airline with compliance Securing the new network architecture: Security for distributed, dynamic networks When it comes to data loss prevention, networking should be part of the conversation What is data loss prevention? -- An introduction to DLP What are the best methods for handling rogue access points? Internet monitoring vendor adds throttling, filtering, to its appliance Network Security Products Securing the new network architecture What security measures are recommended for each level of the TCP/IP model? Securing the new network architecture: Security for distributed, dynamic networks What is data loss prevention? -- An introduction to DLP To simulate voice over IPSec VPNs which simulators work? Is my firewall setting preventing wireless network guest access? How to configure Windows Server 2008 advanced firewall MMC snap-in How to retrieve passwords from locked laptops How to interpret test scan results to assess network vulnerability What commands allow network traffic to pass through PIX firewalls? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.