IDS vs IPS

nick — Tue, 25 Apr 2006 11:59:00 +0100

Network Intrusion detection systems (NIDS) , and Network Intrusion Prevention (NIPS) systems are a common complement to a firewall implementation; couple this with Host IDS (HIDS) or Host IPS (HIPS) and you've made a good start at implementing an advanced security infrastructure ;)

What's the difference ?

Sadly there's no hard an fast rule, what's important is understanding what you're buying. Traditional IDS systems used sniffers & signatures to detect attacks very similar to how virus's are found with AV; the problem with this kind of system is that it relies on a signature being available to recognize the attack; there is also a margin of error with sniffer technology, this means it's possible to flood a network with "safe" traffic, and then slip the attack in under the radar.

Some consider the difference between IDS and IPS is that IPS is proactive, as such it doesn't require a signature to detect the attack, it just recognizes unacceptable behavior, the problem with this is that any technology that can do this is very difficult and expensive to implement.

Others consider the difference between IDS and IPS is that IPS implements a protective "shim" between the system and the attack; thus if the attack is recognised then it can be blocked.

Suddenly you can see how the two phrases get muddled up, those inventing intelligent systems to detect unknown or Zero Day attacks wanted a way to differentiate their technology from the rest; but IDS vendors were easily able to adopt the "P", buy making their exiting product work in linethus providing "protection" rather an "detection".

So I go back to my point, what's the difference between "D" & "P", find out if the product you're buying uses signatures, and you'll get an idea whether it's a re-vamped IDS or a Zero Day protection system ;)

LINICKX.com

IDS vs IPS