What is the key difference between intrusion detection and intrusion prevention? If a firewall has intrusion prevention, is it assumed that intrusion detection is built in as well?
At a simple level, it's the difference between detection and prevention. IDS products are designed to inform you that something is trying to get into your system where IPS products actually attempt to prevent access.
Both IDS and IPS are designed for different purposes, but their technologies are similar. IDS is best used in situations where there is a need to explain what happened in an attack, whereas IPS stops attacks. An IDS system collects a lot of information that is not actionable from an IPS perspective, such as port scans and other reconnaissance.
An IDS analyzes traffic by comparing traffic to information in its database that contains patterns, called "signatures," found in known exploits. If certain traffic matches a pattern seen in an exploit, the IDS will send an alert to an administrator who can then take action to prevent the exploit or minimize the damage. IPS operates similar to IDS with one critical difference: IPS can block the attack itself; while an IDS sits outside the line of traffic and observes, an IPS sits directly in line of network traffic. Any traffic the IPS identifies as malicious is prevented from entering the network.
Check out TechTarget's IDS/IPS resources.
Dig Deeper on Network Security Best Practices and Products
Related Q&A from Puneet Mehta
Find out if there's a difference between a virtual private network (VPN) concentrator and a network access server (NAS) in this explanation from our ... Continue Reading
Our network security expert explains how to keep unauthorized users from accessing your router's IP address for Internet access in this advice ... Continue Reading
If you've used MAC address restriction to control your network access on your wireless router, can you extend this to your wired network? Our ... Continue Reading