Understanding the differences between IDS and IPS

As we all know, the universal presence of the Internet has completely changed networking as we know it. Networks that were once completely isolated are now connected to the world. This universal connectivity allows companies to achieve things never before imaginable. At the same time though, there is a dark side. The Internet is a haven for cyber criminals who use the connectivity to launch an unprecedented number of attacks against companies.

When the Internet first started to gain popularity, companies started to realize that they needed to implement firewalls in an effort to prevent attacks against them. Firewalls work by blocking unused TCP and UDP ports. Although firewalls are effective at blocking some types of attacks, they have one major weakness: You simply can't close all of the ports. Some ports are necessary for things like HTTP, SMTP and POP3 traffic. Ports corresponding to these common services must remain open in order for those services to function properly. The problem is that hackers have learned how to pass malicious traffic through ports that are commonly left open.

In response to this threat, some companies started to deploy intrusion detection systems (IDS). The idea behind an IDS is that it monitors all of the traffic that makes it through your firewall, and looks for any traffic that might be malicious. The idea sounds great in theory, but in reality, IDS systems really don't work that well for several reasons.

Early IDS systems worked by looking for any traffic that was out of the ordinary. When such traffic was detected, the activity was logged and an administrator was alerted. There are a few problems with this though. For starters, looking for abnormal traffic patterns produces a lot of false positives. After a while, the administrator becomes so annoyed with receiving constant false alerts that they start to ignore the alerts altogether.

The other major flaw in IDS systems is that they only monitor traffic. If an attack is detected, it's up to the administrator to take action. In a way this might be considered to be a good thing though. After all, since IDS systems produce a lot of false positives, would you really want them to take action against legitimate network traffic?

Over the last few years, IDS systems have evolved considerably. Today IDS systems work more like anti-virus programs. An IDS system contains a database of known attack signatures. The system constantly compares inbound traffic to the database and if an attack is detected then the IDS reports the attack.

These newer systems tend to be much more accurate than their predecessors, but the database must be constantly updated to remain effective. Furthermore, if an attack occurs and there is not a matching signature in the database, the attack may be ignored. Even if an attack is detected and confirmed to be a real attack, the IDS is powerless to do anything other than alert the administrator and log the attack.

This is where IPS systems come in. IPS stands for intrusion prevention system. An IPS is similar to an IDS, but it has been designed to address many of an IDS's shortcomings.

For starters, an IPS sits between your firewall and the rest of your network. That way, if an attack is detected, the IPS can stop the malicious traffic before it makes it to the rest of your network. In contrast, an IDS simply sits on top of your network rather than in front of it.

IPS systems also differ from IDS in the way that they detect attacks. There are a wide variety of IPS systems available and they don't all use the same techniques, but generally speaking, IPS systems tend to rely on packet inspections. The IPS will examine inbound packets and determine what those packets are really being used for before making a determination as to whether or not to allow those packets to make it onto your network.

As you can see, there are some important differences between IDS and IPS systems. If you are shopping for an effective security device, your network will usually be more secure if you use an IPS rather than an IDS.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.