IDS and IPS
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both components of network security infrastructure. They compare network packets against a cyber threat database containing known attack signatures and flag any matches. The main difference is that IDS is a monitoring system that simply observes and alerts without altering network traffic, while IPS is a control system that can actively block or prevent the delivery of malicious packets, similar to how a firewall blocks traffic based on IP address.
An IDS analyzes and monitors network traffic for signs of known cyber threats that could indicate an attack or data breach. It compares current network activity to a threat database to detect behaviors such as security policy violations, malware, and port scanning.
An IPS is typically positioned alongside a firewall, between the external network and the internal network. It proactively blocks network traffic based on security profiles if a packet matches a known security threat.
Both IDS and IPS analyze network packets by comparing them to a database of known threats. The key difference is their response: IDS are monitoring tools that generate alerts but do not take action themselves, requiring a human or another system to respond, which can be resource-intensive in high-traffic environments. IPS, on the other hand, is a control system that automatically accepts or rejects packets based on predefined rules. IDS is often more effective as a post-incident forensic tool for the CSIRT during security investigations.
The purpose of an IPS is to detect and block dangerous packets before they reach their target. Unlike an IDS, which only monitors and alerts, an IPS actively prevents threats. To remain effective, its threat database must be regularly updated with new threat data.
IDS and IPS are only as effective as their cyberattack databases. Regularly update these databases, and be prepared to make manual adjustments when new attacks emerge or when attack signatures are not yet included.
IPS and IDS systems are used for the following types of attacks:
Table 6-3 Attack Types
| Type of Attack | Description |
|---|---|
| Policy Violations | These occur when network traffic violates established rules, protocols, or packet formats. For example, a policy violation may involve an IP packet with an incorrect length or a protocol being used in an unauthorized way. |
| Exploits | Attempts to take advantage of vulnerabilities in a system, application, or protocol. For example, a buffer overflow attack is a common type of exploit. |
| Reconnaissance | A detection method involving attempts to gather information about a system or network, such as using port scanners to identify open ports. |
| DOS, DDOS | Attacks that attempt to overwhelm and disable a system by flooding it with a large volume of requests, such as SYN flood attacks. |
IPS and IDS vs Firewalls
Without an IPS, attacks may go unnoticed. While a firewall filters, blocks, or allows traffic based on addresses, ports, or services, it cannot determine whether allowed traffic is legitimate or malicious. This is where IDS and IPS systems provide additional protection by monitoring and analyzing traffic for threats that firewalls alone cannot detect.
While firewalls block or allow network traffic, IDS and IPS analyze that traffic in detail to identify potential attacks. These systems use sensors, analyzers, and graphical user interfaces (GUIs) to perform their specialized monitoring and detection functions.
Parent topic: Security