What Is IDS (Intrusion Detection System) and How Does It Work?

An intrusion detection system (IDS) is a network security solution that monitors traffic for suspicious activity and alerts security teams when such activity is detected. They aim to stop network attacks before they can compromise a network.

IDS operates by identifying traffic that deviates from normal activity, or exhibits known attack patterns. These deviations or exceptions are flagged, and examined at the protocol and application layers. 

IDS can be network-based or host-based. A network-based intrusion detection system is deployed in a network and protects multiple hosts, while host-based IDS is installed on a specific host machine and protects only that host. Another option is cloud-based IDS, which can protect data and systems in cloud environments.

What is IPS (Intrusion Prevention System) and How Does it Work?

An Intrusion Prevention System (IPS) is a network security and threat prevention tool. The main goal of an IPS system is to identify potential threats and rapidly respond. IPS systems can scan network traffic for signs of attack and prevent exploits of vulnerabilities.

An IPS system continuously monitors a network to identify malicious activity, logs detected threats, reports them, and immediately takes action to prevent damage.

IPS is typically deployed behind firewalls, serving as an additional layer of protection that ensures network connections do not carry malicious content. IPS is placed in the direct communication path between internal systems and a public network, intercepting and blocking suspicious traffic.

IPS vs. IDS: 5 Key Differences

Here are some of the main differences between IPS and IDS.

1. Scope

IDS is a monitoring tool that compares network packets and looks for known threat signatures and other anomalies. It is purely a surveillance system. IPS is an active solution that allows or blocks network packets according to control rules. It expands the scope of IDS.

2. Range and Location 

IDS provides real-time traffic monitoring and analysis across the protected network, scanning all packets for IoCs and flagging potential network threats. IPS usually operates at the point where an internal, firewall-protected network meets the public Internet, blocking traffic when it detects a suspicious packet. IPS often has a smaller range than IDS. 

3. Deployment Model

Intrusion detection systems can be host-based or network-based. A host-based IDS works on endpoints, identifying threats affecting each device. It only monitors the host machine, providing focused, granular visibility. A network-based IDS monitors the whole network, detecting threats in all network traffic. It provides more context but usually offers less granularity.

Intrusion prevention systems can be host-based, network-based, or wireless. A host-based IPS runs on an individual client or server, monitoring and responding to device-specific events. A network-based IPS protects the whole network. A wireless IPS identifies unauthorized network access points and takes automatic countermeasures to protect the network. 

4. Human Intervention 

IDS requires human intervention and additional security tools to block threats. It can scan networks for threats but cannot protect them, relying instead on IT and security teams to act on alerts. 

IPS requires minimal human intervention because it proactively responds to threats. It leverages threat signature databases and ML-based behavioral models to identify and block malicious traffic. 

5. Configuration

IDS usually operates inline—the security team specifies how the IDS logs events and sends notifications. Activity logs provide forensic evidence for analysis and to inform policy updates. IPS usually sits behind a firewall, within the network, operating inline, or as an end-host. It requires careful configuration to minimize false positives and reduce the risk of responding to a harmless behavioral anomaly.

IPS or IDS: Which One Is Right For You?

The main difference between an intrusion detection system and an intrusion prevention system is the action taken when it detects an intrusion. An IDS only generates alerts about potential incidents, allowing security analysts to investigate events and determine if they require further action. The security operations center (SOC) is responsible for implementing security.

On the other hand, an IPS proactively responds when it detects events. It blocks attempted intrusions and performs other remediation actions. It serves a similar purpose to an IDS but with a different response. However, while this may make IDS appear redundant, each system has benefits for different scenarios:

• Intrusion detection system (IDS)—this system detects incidents and generates alerts but doesn’t do anything to prevent them from occurring. On the face of it, this is an inferior capability to IPS. Still, it is useful for systems that require high availability—for instance, critical infrastructure like an industrial control system (ICS). It ensures the system keeps running while human operators can evaluate alerts and make informed decisions about whether and how to respond.
• Intrusion prevention system (IPS)—this system takes action and automatically blocks anything that looks suspicious. It provides stronger protection, limiting the damage caused by fast-acting, sophisticated attacks. However, it can disrupt operations and should be reserved for highly sensitive use cases, such as an environment that cannot handle any intrusions (i.e., a database with sensitive information). 

IDS and IPS each have advantages and drawbacks depending on the use case, so it’s important to consider the specific needs of the systems they protect. There is often a tradeoff between high protection and high availability. IDSs can provide opportunities for attackers to damage a target system, while IPSs can make it harder to use a system, disrupting operations with every false positive. 

Using IPS/IDS as Part of an Endpoint Protection Platform

An endpoint protection platform (EPP) is an integrated security solution that can detect and block cybersecurity threats on endpoint devices. The platform focuses on preventing attacks, using both signature-based and behavioral detection methods. 

EPPs provide multiple security technologies via a single platform, typically including anti-malware, encryption, application, and network firewalls, and data loss prevention. Some EPPs include endpoint detection and response (EDR), an advanced technology that alerts security teams to unusual activity on the endpoint and helps them rapidly investigate and respond to it.

Endpoint protection platforms often incorporate a host-based intrusion prevention system (IPS). IPS proactively blocks threats on the endpoint before they compromise the device or other systems on the network. IPS complements other layers of security in an EPP to protect endpoints from malicious traffic. IPS deployed as part of EPP solutions can be used on its own, or together with a network-level IPS system.

Conclusion

In this article, I explained the basics of IPS and IDS and the key differences between them:

1. Scope - IDS only focuses on detecting threats, while IPS can actively block malicious traffic.
2. Range and location - IPS is typically deployed behind the firewall and focuses on inbounce/outbound traffic, while IDS monitors traffic inside the data center as well.
3. Deployment model - both IPS and IDS can be deployed as host-based or network-level solutions, but IPS can also be deployed as a wireless solution to protect Wi-Fi networks.
4. Human intervention - IPS operates without human intervention, while IDS requires human review of messages and alerts.
5. Configurations - IDS requires less configuration because it freely collects data and identifies security issues. IPS requires careful configuration to avoid blocking legitimate traffic.

I hope this will be useful as you select the best mix of security tools to protect your network.

ABOUT THE AUTHOR:

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.

LinkedIn: https://www.linkedin.com/in/giladdavidmaayan/

Twitter: https://twitter.com/gilad_maayan

FB: https://www.facebook.com/gilad.maayan