Intrusion detection vs. intrusion prevention

Our expert, Puneet Mehta, tells us what the key difference is between intrusion detection and intrusion prevention, in this expert response.

What is the key difference between intrusion detection and intrusion prevention? If a firewall has intrusion prevention, is it assumed that intrusion detection is built in as well?

At a simple level, it's the difference between detection and prevention. IDS products are designed to inform you that something is trying to get into your system where IPS products actually attempt to prevent access.

Both IDS and IPS are designed for different purposes, but their technologies are similar. IDS is best used in situations where there is a need to explain what happened in an attack, whereas IPS stops attacks. An IDS system collects a lot of information that is not actionable from an IPS perspective, such as port scans and other reconnaissance.

An IDS analyzes traffic by comparing traffic to information in its database that contains patterns, called "signatures," found in known exploits. If certain traffic matches a pattern seen in an exploit, the IDS will send an alert to an administrator who can then take action to prevent the exploit or minimize the damage. IPS operates similar to IDS with one critical difference: IPS can block the attack itself; while an IDS sits outside the line of traffic and observes, an IPS sits directly in line of network traffic. Any traffic the IPS identifies as malicious is prevented from entering the network.

Check out TechTarget's IDS/IPS resources.

 

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center
ITChannel
Close