What is the key difference between intrusion detection and intrusion prevention? If a firewall has intrusion prevention, is it assumed that intrusion detection is built in as well?
At a simple level, it's the difference between detection and prevention. IDS products are designed to inform you that something is trying to get into your system where IPS products actually attempt to prevent access.
Both IDS and IPS are designed for different purposes, but their technologies are similar. IDS is best used in situations where there is a need to explain what happened in an attack, whereas IPS stops attacks. An IDS system collects a lot of information that is not actionable from an IPS perspective, such as port scans and other reconnaissance.
An IDS analyzes traffic by comparing traffic to information in its database that contains patterns, called "signatures," found in known exploits. If certain traffic matches a pattern seen in an exploit, the IDS will send an alert to an administrator who can then take action to prevent the exploit or minimize the damage. IPS operates similar to IDS with one critical difference: IPS can block the attack itself; while an IDS sits outside the line of traffic and observes, an IPS sits directly in line of network traffic. Any traffic the IPS identifies as malicious is prevented from entering the network.
Check out TechTarget's IDS/IPS resources.
Dig Deeper on Network Security Best Practices and Products
Related Q&A from Puneet Mehta
How do I open port 177 on my router so that other clients can get a GUI display of my server remotel
In this expert response, Puneet Mehta tells us where the placement of the firewall should be architecturally. Continue Reading
What methods are available to protect a network from broadcast and multicast storms? Continue Reading