Intrusion Detection Systems (IDS) analyse network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) also analyses packets, but can also stop the packet from being delivered based on what kind of attacks it detects — helping to stop an attack. These are used by network administrators in protecting the attack surface of a business.
The significant difference between IDS and IPS equates to the difference in protection and detection. IPS uses the diagnostics of IDS, but builds on the technology to intervene when potential threats are identified.
Intrusion Detection Systems (IDS)
IDS works to identify potential attacks and notify the user. The identification process is the process of analysing networking traffic and highlighting anything suspicious – but how? IDS uses two different types of system:
- Network Intrusion Detection System (NIDS)
- Host Intrusion Detection System (HIDSs)
A NIDS monitors network traffic for threats through sensors placed throughout the network, whereas a HIDS monitors traffic on the device where it is installed.
There are also two methods of threat detection within these systems: signature-based and anomaly-based. Signature-based threat detection uses a database of existing attacks to compare network activity to attack behaviours; the user receives a notification if current network traffic resembles that of an attack. An anomaly-based IDS uses a baseline model of behaviour to detect unusual activity on the network and flag it as suspicious to the user.
Intrusion Prevention Systems (IPS)
PS sits behind the firewall and uses anomaly detection or signature-based detection to identify network threats. In response, IPS solutions come armed with automated responses such as blocking the traffic source address, dropping malicious packets, and sending alerts to the user.
Threat Detection & Deployment Methods
IDS and IPS solutions that use signature-based detection look for attack signatures, activity, and malicious code that match the profile of known attacks. Attacks are detected by examining data patterns, packet headers, source addresses, and destinations. Signature-based detection is excellent at identifying established, less sophisticated attacks. However, detecting based on signatures is ineffective at detecting zero-day attacks, which don’t match other established attack signatures.
To detect more sophisticated threats, vendors have turned to machine learning and artificial intelligence (AI). IDS and IPS tools with anomaly detection can detect malicious behaviour in data organically rather than referring to past attacks. These solutions can detect the malicious nature of new attacks it hasn’t seen before. Anomaly detection systems vary widely between vendors depending on the techniques they use to detect anomalies.
Between signature and anomaly-based detection, the traffic analysed can be unfiltered or screened. The difference being unfiltered traffic is the raw internet data stream before it crosses the firewall, unlike screened traffic which is monitored by IDS/IPS post-firewall.
Should You Implement IDS or IPS?
Part of the legal responsibility of a business is to invest in the right technologies to protect client data. The act of implementing IDS/IPS is essential for proving compliance, and providing suitable security controls. Similarly, IDS and IPS can be configured for policy enforcement, to monitor and block traffic they don’t expect.
Significantly, IDS and IPS are critical for information security as they are two manners in which a system can be protected from an attack. They both play a vital role in automating cyber-security strategy. So, as much as IDS and IPS are similar, they form two different layers of network security and are both worth investment. This points to unified threat management (UTM). UTM incorporates several security layers into a single, comprehensive security resolution, so IDS and IPS would combine into one.
A UTM doesn’t just integrate IDS and IPS. UTMs expand upon the more traditional firewall approach to network safety, by incorporating both intrusion detection and prevention along with other security functions, into a single, unified appliance: a simple solution capable of filtering, analysing and reporting, along with load balancing and intrusion prevention.