When the Internet first started to gain popularity, companies started to realize that they needed to implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP and POP3 traffic. Ports corresponding to these common services must remain open in order for those services to function properly. The problem is that hackers have learned how to pass malicious traffic through ports that are commonly left open.
In response to this threat, some companies started to deploy intrusion detection systems (IDS). The idea behind an IDS is that it monitors all of the traffic that makes it through your firewall, and looks for any traffic that might be malicious. The idea sounds great in theory, but in reality, IDS systems really don't work that well for several reasons.
Early IDS systems worked by looking
The other major flaw in IDS systems is that they only monitor traffic. If an attack is detected, it's up to the administrator to take action. In a way this might be considered to be a good thing though. After all, since IDS systems produce a lot of false positives, would you really want them to take action against legitimate network traffic?
Over the last few years, IDS systems have evolved considerably. Today IDS systems work more like anti-virus programs. An IDS system contains a database of known attack signatures. The system constantly compares inbound traffic to the database and if an attack is detected then the IDS reports the attack.
These newer systems tend to be much more accurate than their predecessors, but the database must be constantly updated to remain effective. Furthermore, if an attack occurs and there is not a matching signature in the database, the attack may be ignored. Even if an attack is detected and confirmed to be a real attack, the IDS is powerless to do anything other than alert the administrator and log the attack.
This is where IPS systems come in. IPS stands for intrusion prevention system. An IPS is similar to an IDS, but it has been designed to address many of an IDS's shortcomings.
For starters, an IPS sits between your firewall and the rest of your network. That way, if an attack is detected, the IPS can stop the malicious traffic before it makes it to the rest of your network. In contrast, an IDS simply sits on top of your network rather than in front of it.
IPS systems also differ from IDS in the way that they detect attacks. There are a wide variety of IPS systems available and they don't all use the same techniques, but generally speaking, IPS systems tend to rely on packet inspections. The IPS will examine inbound packets and determine what those packets are really being used for before making a determination as to whether or not to allow those packets to make it onto your network.
As you can see, there are some important differences between IDS and IPS systems. If you are shopping for an effective security device, your network will usually be more secure if you use an IPS rather than an IDS.
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.
This was first published in October 2005