IDS vs IPS : What’s the difference?


By now you’ve heard experts tell you to install an IDS/IPS solution in your network. However, they never give you a good IDS vs IPS comparison.

Implementing an IDS or IPS can dramatically increase your network’s security profile. The question is, which one is right for your organization?

What’s the difference between IDS and IPS technologies?

In today’s post, we’ll walk through the differences and help you understand what each one does and the effort required by your team to run them.

IDS will detect viruses and malware, while IPS prevents them.

Businesses need to understand the strengths and benefits of different IDS/IPS tools. This knowledge lets companies to protect themselves by choosing the most effective IDS/IPS solution.

What is an IDS?

An IDS (Intrusion Defense System) monitors the traffic flowing across your network. It assesses every packet against known issues and attacks and it creates alerts based on those results.

What does an IDS find?

The IDS works to identify intrusions and configuration errors adversely affecting the company, including malware and virus infection, hackers breaching your security, and employees violating access policy or accidentally leaking company information. IDS have even identified unauthorized laptops being used against their company’s network.

Inside or Outside?

While some prefer to place their IDS on the outside, between their firewall and the Internet, I prefer to have my IDS just behind my firewall. I want my IDS to only alert me on traffic that gets into my network, versus alerting on false positives that the firewall blocks anyway.

Not Inline:

An important note is that an IDS works by taking a SPAN port or network tap. Network traffic is not dependent on the IDS working to flow properly. This is different than an IPS, more on this later.

Watch and Listen:

Security Engineers and Analysts leverage an IDS to detect malicious activity. However, DETECT, is the key word! An IDS watches and listens, then logs an alert, but it does nothing to stop the traffic from continuing on its way.

To Be Effective:

Companies must invest time and manpower into training, tuning, monitoring and following up on information provided by an IDS. If you’re not going to make that commitment, running your own IDS isn’t going to do you much good.

What is an IPS?

An IPS will detect threats that can escape your firewall or antivirus.

An IPS (Intrusion Prevention System) executes real-time responses to active attacks and violations. An IPS is the same as an IDS but with Active Defense. System administrators structure rules within the IPS unique to the needs of the business. This allows not only for monitoring and evaluation of threats but also for real time action to stop an immediate threat. An IPS is an active defense that can catch intruders that might go unnoticed by firewalls or anti-virus software.

Your Traffic Flows through the IPS

Since the focus of an IPS is to PREVENT, it needs to have control over your traffic flow. Your network traffic flows through the IPS device. This means, if your IPS has a problem, your network has a problem. If you are building redundant infrastructure to be resilient, you need two IPS devices, just to be safe.

What do you mean Active Defense?

Since traffic flows through the IPS, it can stop, block and report network traffic it thinks is violating policies, rules, security, etc. Actions available to an IPS include blocking traffic from specific IP addresses deemed a threat and immediately breaking up connections to vulnerable internal systems.

Sounds great right? But wait, what happens if…

The immediacy of an IPS response can mean rules set up incorrectly generate false positives and create a disruptive user experience. The level of detail allowed in setting up security parameters sometimes results in an IPS generating a large number of alerts that can’t be responded to effectively. This runs the risk of security administrators allowing true threats to remain unaddressed due to a lack of resources and an inability to address them all.

Which one works best, IDS or IPS?

Using an IDS or IPS depends on the needs of the business and your tolerance for false positives blocking valid traffic. Companies desiring an extensive view into the inner workings of the security protocols set up across their networks would benefit from an IDS. In addition, those businesses must have staff available with the knowledge base to effectively use the information provided to them by the IDS.

An IPS will detect threats that can escape your firewall or antivirus.

Those wanting immediate automatic action taken against internal and external attacks would benefit from setting up an IPS. Technicians need to tune the IPS to match the infrastructure on the company’s network.

Which one should you buy?

If implementing your own system, take care when choosing between the various IDS/IPS vendors. Different vendors have a myriad of options and details about their product you need to assess against your needs.

The two most important factors are:

  • NETWORK SPEED: How much traffic can the IDS / IPS process?

  • UPDATES: How frequent are their updates for signatures and rules, and do they cost extra?

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn