IDS vs. IPS: What’s the Difference?

Quick Definition of IDS: An intrusion detection system (IDS) is a network security device or software application that receives copies of network traffic and then scans that traffic for malicious code. An IDS is defined by it being out-of-line of network traffic and by receiving copies of traffic,  which means it’s able only to report discoveries of malicious traffic or intrusion activities. An IDS is powerless to stop such traffic.

Quick Definition of IPS: An intrusion prevention system (IPS) is a network security device or software application that sits in-line with network traffic and scans the traffic for malicious code in real-time. An IPS is defined by it being in-line with the network traffic and so can stop malicious code as it transits the IPS.

An Overview of IDS vs IPS [VIDEO]

In this video, Keith Barker covers the nature of an IDS and IPS, what they do for a network, and their differences. Any network security solution will come with a cost and overhead: knowing the strengths and drawbacks of each option means you can make the right decision.

Do You Need Cybersecurity for Internal Network Traffic?

Network security is often about hardening networks against external threats — malicious users on the internet looking to break in. But internal threats exist too, and good network security has to include anticipating and preventing those as well.

Before jumping into IDSs and IPSs, let's imagine a hypothetical network. Imagine a network that has a connection to the internet along with several devices, switches, routers, and VLANs.

Imagine a user, Bob, on VLAN 11 at 172.30.11.0 /24. Turns out, Bob's actually a malicious user. And we have a different user, Lois, over on VLAN 22 at 172.31.22.0 /24. Our point about network security comes from this question: if Bob started launching malicious attacks over at Lois, would we want to know about that? Yes or no?

The answer is, obviously, absolutely yes. Network security means identifying any and all kinds of malicious traffic — even malicious traffic that is sourced internally or traffic from an attacker on the outside who is forwarding traffic into our network.

Intrusion detection systems and intrusion prevention systems exist because all network traffic has to be monitored, internal and external. IDSs and IPSs help us make sure that even if "the call is coming from inside the house," we're protected.

What's the Difference Between IDS and IPS?

The major difference between an intrusion detection system and an intrusion prevention system is where they're located relative to the network traffic. An IDS sits out-of-line of the traffic and receives copies of the traffic, whereas an IPS sits in-line with the network traffic and scans it in real-time.

Installing an intrusion detection system (IDS) can be as easy as plugging a security appliance into the network. If we go back to our imagined network from before, imagine that we just plugged a security appliance into the network. All we'd need to do is configure VLAN 11's switch so that all its traffic gets copied out to the network appliance.

Once we're getting copies of all the data passing through that switch, the IDS scans it. And when our IDS appliance sees malicious traffic, it can send off an alert.

However, because it's just a copy of the data, our IDS appliance isn't really in the middle of it. The IDS can't stop the attack. And that's why IDSs are referred to as intrusion detection systems, they detect only. They have the ability to see the traffic, maybe fire off an alert, but can't stop attacks because they are not in-line.

Compare that to an intrusion prevention system (IPS), with an emphasis on the "prevention" part. An IPS works a lot like an IDS, except that we place it in-line with the traffic itself.

Let's go back to our imagined network. Currently the path between PC1 and PC2, because they're in different VLAN, has to transit through their default gateways. Imagine a line that represents the trunked connection between their switch and the router. Any traffic from Bob to Lois has to transit that line.

So, to install our IPS. Let's say we got rid of that connection and instead put a connection from the switch to our network security appliance, and then put a connection from the appliance to the router on the other end. With the IPS in-line with the traffic like that, for PC1, or anybody else in VLAN 11, to get to their router or to any other networks for that matter,  the traffic is going to pass through the IPS.

The traffic will originate at their PC, go to VLAN11, out through the IPS, which is now in-line with the traffic — and out to their default gateway. Depending on what the network arrangement is and where we installed the IPS, if the traffic was destined for PC2, the reply traffic would go in the opposite direction, back through the IPS and down to VLAN22.

But now that the appliance is in-line, it's not just a detection system. It's considered to be an intrusion prevention system. Because if it does see malicious traffic, it can stop that traffic right in its tracks, thus preventing that attack from moving any further into the network.

What's the Difference Between Host-Based IPS/IDS and Network IPS/IDS?

The difference between host-based IPS/IDS and network IPS/IDS is where the device or software application does its prevention or detection. A network-based IPS or IDS is a device or software application that scans traffic passing through the network. A host-based IPS or IDS is a piece of software installed directly onto devices that scans the computer for malicious behavior.

Above, when we described a basic network architecture and how an IPS or IDS would scan the traffic, we were describing a network IPS/IDS set-up.

There's also host-based IPS/IDS. Those involve running software on computers throughout the network. With that software installed, it then becomes a matter of reading application logs, security logs and watching registries on Windows machines. Host-based IPS/IDS look for any malicious behavior, locally, on each computer.

Which is Better: Host-based or Network-based IPS/IDS?

Neither host-based or network-based IPS/IDS is inherently better than the other. Each has strengths and drawbacks. Generally speaking, the cost and the overhead is probably going to be higher with a host-based IPS/IDS than using a network-based intrusion prevention or detection system. But a network-based IPS/IDS is limited in that it can only see the traffic coming out of devices, it can't see into the device itself or see the attack at its source.

One of the benefits of using network-based IPS is that depending on where the IPS/IDS is installed, one device can monitor an entire network's traffic. You'll be seeing the data and behavior of many different computers. The downside to network-based is that you won't be seeing what's actually happening on each computer. If there's an attacker locally, sitting at a computer and trying to break into it, a network-based IPS can't detect that. It won't be able to see that local activity.

On the other hand, for a host-based IPS/IDS, the benefit is that it will see local activity on that computer. This comes with a downside, however. It's going to take some overhead on that computer, because it's going to run as an application. Host-based IPSs/IDSs will incur slight performance hits. Plus, if your network has 10,000 computers and you're planning to protect each with host-based IPS, that's a lot of licenses to buy and install.

How Does an IPS or IDS Detect Malicious Traffic?

It doesn't matter if it's host-based or network-based, an IPS/IDS has two major methods for detecting malicious traffic: signature matching and anomaly detection.

The method that an IPS/IDS device takes to detecting malicious traffic is sort of like a line from the Wizard of Oz: "Are you a good witch or a bad witch?" As traffic passes through an IPS/IDS device, it has a similar question: "Are you a good packet or a bad packet?"

As traffic transits an IPS/IDS, the device has two major approaches for identifying whether or not a packet is a good or bad, bad meaning malicious. The first is through a signature match, the second is to use some sort of anomaly detection.

With a signature match, we might have a vendor who's given us, for example, 1,000 signatures in a database. These are signatures of known attacks or malicious entries. Every packet that's sent is compared against that database. If there's a pattern match, the IDS or IPS recognizes it as a signature of a known attack and can respond with predefined actions.

Another method is based on anomaly detection. Anomaly detection is done by building a baseline of certain aspects of network behavior and then comparing different metrics to that in the future. For example, at any given time, there might be 30 half-formed TCP sessions in-place. In other words, it's normal to have about 30 people connecting and setting up their connections for sessions.

One of the baselines we could establish is that "30 half-formed TCP sessions is the average". After that, we tell the IPS/IDS where to draw a red line. Maybe that happens if we're something like five times the baseline. When the IDS sees more than five times the baseline, it says, "Uh-oh, we're way too high" and creates an alert, because that represents a statistical anomaly.

Another type of anomaly detection that we could use is based on how protocols are supposed to work. For example, if we see some behavior that is not how TCP/IP should operate, that could also be considered an anomaly and could generate an alert.

Does an IPS or IDS Have to Be a Separate Device?

No. Another thing to note about network-based IDS/IPS is that a separate security appliance may not be necessary at all. It's possible to build the IPS/IDS functionality into a router, a firewall, or a gateway — because they're seeing the network traffic anyway. If they have the CPU to spare, it's possible we could add those signatures and that responsibility to an existing device, which is already in-line with the traffic. 

Wrapping Up

Malicious code can come from inside a network just as easily as outside the network. In fact, sometimes network security is so good at repelling external threats that it's much easier to just compromise a device on the network and take it down from the inside. Systems that can help you detect and prevent intrusions keep your internal network safe.

Host-based or network-based Intrusion Detection Systems and Intrusion Prevention Systems are a crucial part of managing your network. Having a strong understanding of both is also crucial for earning CISSP certification, which is one of most respected and sought-after security certifications.