Intrusion Detection (IDS) VS Intrusion Prevention (IPS): What’s The Difference?
A new breed of cyber threats has evolved since the early days of the first commercial firewalls and anti-virus software of the 1990s. The security systems created during that time period are no match for the sophisticated cyber attacks attempting to disrupt the activity of the billions of internet users across the world today.
An intrusion detection system (IDS) is used to monitor a network, which then sends alerts when suspicious events on a system or network are detected. An intrusion prevention system (IPS) reacts to attacks in progress with the goal of preventing them from reaching targeted systems and networks. While IDS and IPS have the ability to detect attacks the main difference is in their responses to an attack. However, it’s important to note that both IDS and IPS can implement the same monitoring and detection methods.
In this article, we will discuss the characteristics of an intrusion and the various attack methods threat actors employ to compromise a network.
Then, we’ll define an intrusion detection system and its counterpart the intrusion prevention system. Once defined, we will review the functionality of each system and their respective roles in protecting the network.
By the end of this article, you will have a better understanding of the differences between the intrusion detection system vs. the intrusion prevention system. Your awareness of the types of IPS/IDS solutions available on the market today will be enhanced, especially when they are combined into a single unit.
- What Is A Network Intrusion?
- What Is An Intrusion Detection System (IDS)?
- How Does An Intrusion Detection System Work?
- What Are The Two Main Types Of Intrusion Detection Systems?
- What Is An Intrusion Prevention System (IPS)?
- How Does An Intrusion Prevention System Work?
- What Are The Main Types Of Intrusion Prevention Systems?
- Can IDS And IPS Work Together?
What Is A Network Intrusion?
An intrusion compromises a computer system by breaking the security of such a system or causing it to enter into an insecure state.
A similar term refers to a network intrusion, which is any unauthorized activity on a digital network. Network intrusions often involve stealing valuable network resources and usually jeopardizes the security of networks and their data.
Networks and endpoints are susceptible to intrusions from unintended sources named threat actors. A threat actor can reside literally anywhere in the world. All they need is access to the internet, a motive, and a method or route of attack, which is commonly referred to as the threat vector.
Common types of network vulnerabilities that threaten the cyber security of a company include:
- Malware – Malware, or malicious software, is typically installed on a user’s machine or a host server. Types of malware include trojans, viruses, and worms.
- Social engineering attacks – Social engineering attempts to fool users into giving up personal information. These types of attacks include email phishing and whaling, vishing, waterhole attacks, and tailgating.
- Outdated or unpatched software – Software applications that are left unpatched which exposes systems running the application and potentially the entire network.
- Web Server Exploits – Smartphones, tablets, and other mobile devices can be used as devices to pass malware and other attacks on to the corporate network. Additionally, mobile malware may be used to steal useful data from the mobile device.
- Data Storage Devices – Portable storage devices such as unencrypted USB or Flash drives.
It’s important that your network security team address these factors when assessing the overall security posture of your systems.
Now that we have an understanding of the progression of the intrusion and its multiple threat vectors, it’s clear that the traditional firewall and basic anti-virus programs are not enough to prevent intrusions today.
As mentioned in the outset of the article, additional layers of security are necessary to counter the intrusion attacks of today. Let’s now take a closer look at intrusion technologies and let’s learn what they are and why they are needed.
What Is An Intrusion Detection System (IDS)?
An Intrusion Detection System or IDS is defined as a computer network security technology originally built for detecting vulnerability exploits against a targeted application.
The IDS as the name implies is designed to detect network traffic patterns. The IDS is not placed directly in line with the network traffic.
It is usually inserted in a tap or span port mirroring device to monitor and notify an administrator of alerts, without impacting the data flow.
This technology is what makes the IDS distinctly different than its counterpart, the IPS, which we will discuss further in this article.
How Does An Intrusion Detection System Work?
There are three common detection variants the IDS employs to monitor intrusions as follows:
Signature-based IDS detects possible threats by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.
This terminology originates from antivirus software, which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is impossible to detect new attacks, for which no pattern is available.
Anomaly-based IDS is a newer technology designed to detect and adapt to unknown attacks, primarily due to the explosion of malware.
This detection method uses machine learning to create a defined model of trustworthy activity, and then compare new behavior against this trust model.
While this approach enables the detection of previously unknown attacks, it can suffer from false positives, which is previously unknown legitimate activity can accidentally be classified as malicious.
However, it is still needed to monitor and analyze user and system activity, audit system configurations, and vulnerabilities
Reputation-based IDS track a file’s reputation so it can identify suspicious files.
What Are The Two Main Types Of Intrusion Detection Systems?
There are two main types of IDS including a network intrusion detection system or NIDS, and host intrusion detection system (NIDS).
Network Intrusion Detection System (NIDS)
Since the IDS is not in line with the network traffic, it can actually be placed strategically wherever the tap or span devices are located.
This feature allows the IDS to monitor and report on traffic flow in various areas of the network. This type of intrusion protection is referred to as a Network Intrusion Detection System or NIDS.
As illustrated in the example below, the NIDS does not sit directly in line with the network traffic. It reads a copy or mirror of the traffic per the network TAP device.
The admin or management console receives the alerts, however, network traffic flow is not altered or impeded.
Host Intrusion Detection System (HIDS)
Another type of Intrusion Detection System is a software package that is installed on the endpoint or host device.
This type of system is referred to as a host intrusion detection system (HIDS).
Popular anti-virus vendors include HIDS as part of their endpoint protection suite. Instead of relying on mirrored traffic from a TAP device, HIDS software will examine events on a computer on your network.
This type of intrusion detection system mainly operates by looking at data in system files on the computer that it protects. Those files include log and configuration files.
What Is An Intrusion Prevention System (IPS)?
An Intrusion Prevention System or IPS is a network security and threat prevention technology that examines network traffic flows in order to detect and prevent vulnerability exploits. The IPS often sits directly behind the firewall.
Unlike the IDS, the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network.
This key feature is what distinguishes the IPS from the IDS.
How Does An Intrusion Prevention System Work?
Intrusion prevention systems work by scanning all network traffic. There are a number of different threats that an IPS is designed to prevent, including, but not limited to the following:
- Denial of Service (DoS) attack
- Various types of exploits
When deployed correctly, an IPS prevents severe damage from being caused by malicious or unwanted packets, and brute force attacks.
The IPS performs real-time packet inspection, deeply inspecting every packet that travels across the network. If any malicious or suspicious packets are detected, the IPS will carry out one of the following actions:
- Terminate the TCP session that has been exploited.
- Block the offending source IP address or user account from accessing any application, target hosts or other network resources unethically.
- Reprogram or reconfigure the firewall to prevent a similar attack from occurring in the future.
- Remove or replace any malicious content that remains on the network following an attack. This is done by repackaging payloads, removing header information and removing any infected attachments from file or email servers.
Similar to the IDS, an IPS is typically configured to use a number of different approaches to protect the network from unauthorized access. These include:
The signature-based approach uses predefined signatures of well-known network threats. When an attack is initiated that matches one of these signatures or patterns, the system takes necessary action.
The anomaly-based approach monitors for any abnormal or unexpected behavior on the network. If an anomaly is detected, the system blocks access to the target host immediately.
This approach requires administrators to configure security policies according to organizational security policies and the network infrastructure. When an activity occurs that violates a security policy, an alert is triggered and sent to the system administrators.
What Are The Main Types Of Intrusion Prevention Systems?
There are four main types of Intrusion Prevention Systems including network-based, wireless, network behavior, and host-based.
Network-based IPS monitor the network for malicious activity or suspicious traffic by analyzing the protocol activity.
Network-Based intrusion prevention systems or NIPS detect and prevent malicious activity by analyzing protocol packets throughout the entire network. They are often referred to as IDS/IPS or Intrusion Detection and Prevention systems.
Once installed, NIPS gather information from a host console and network to identify permitted hosts, applications, and operating systems commonly used throughout the network.
They also log information on characteristics of normal network traffic to identify any suspicious changes to a network.
NIPS can prevent attacks in a variety of ways, such as by sending a TCP connection to prevent an attack, limiting bandwidth usage, or even rejecting suspicious network activity.
Today’s NIPS are even capable of commanding firewalls and routers to block suspicious activity.
A downside to NIPS is that it does not typically analyze encrypted network traffic, handle high traffic loads, or handle direct attacks against IDS/IPS.
NIPS primarily use signature-based detection to identify threats. Signature-based detection looks for patterns or signatures of previously recognized threats in order to identify potential new threats.
Wireless Intrusion Prevention System (WIPS)
A wireless intrusion prevention system (WIPS) operates at the Layer 2 (data link layer) level of the Open Systems Interconnection model.
WIPS can detect the presence of rogue or misconfigured devices and can prevent them from operating on wireless enterprise networks by scanning the network’s RFs for denial of service and other forms of attack.
Network Behavior IPS
This method primarily involves anomaly-based detection, which looks for deviations from what is known as “normal” behavior in system or network activity.
Upon initiation, anomaly-based detection requires a training period in which a profile for what is considered normal behavior is constructed over a period of time. Inconsistencies with that profile are flagged as malicious.
Anomaly-based detection is outstanding for identifying new threats, but issues can arise if the network is compromised during the training period, as malicious behavior might be logged as normal while a profile is being generated.
Additionally, anomaly-based detection also produces many false positives due to benign activity that wasn’t recognized during the initial training period.
Stateful protocol analysis detection is similar to anomaly-based detection in that it looks for deviations from normal network or system behavior.
The baseline of normal behavior is outlined in universal vendor-created profiles. Stateful protocol analysis is designed to differentiate between benign and suspicious activity in authenticated and unauthenticated states.
Host-based intrusion prevention systems, or HIPS, analyze activity within a single host to detect and prevent malicious activity.
HIPS primarily analyze code behavior, using both signature and anomaly-based detection method to detect suspicious activity. They are often lauded for preventing attacks that leverage encryption.
Similar to HIDS, many anti-malware solutions provide HIPS as part of their product suite.
HIPS can also prevent the host machine from processing malicious activity on a network.
Since HIPS provides security only to a single host machine or server, it’s best used alongside IDS/IPS and WIPS to provide complete threat management throughout a network, providing a comprehensive program for prevention.
By now, you’ve probably noticed that the definitions and mode of operations of an IPS and IDS are different, yet close in their objective, which is to protect the network from intruders and their methods of attack. So, what happens if you put the two technologies together? Let’s find out in the next session.
Can The IDS And IPS Work Together?
Absolutely. Around 2005, vendors combined the two technologies together in order to take advantage of their functionality.
In order for the IPS to even block any traffic, it has to first detect and inspect the traffic, which describes the functionality of the IDS.
Instead of two separate appliances performing two separate functions, it made perfect sense for firewall and other network product vendors to combine the two systems into one appliance.
Although Gartner coined the term “next-generation firewall” in 2003 and predicted they would include IPS features and would be offered in 2006, NGFWs were not widely adopted until 2013.
At that time, they began including IDS/IPS functionality, such as using signatures to identify known attacks and looking for anomalies and protocol deviations in the packet flow.
When the technologies are combined into a single appliance, the administrator has options to deploy as an inline IPS, or detection only with sensors strategically placed to passively monitor network traffic.
This configuration model provides options for the administrator to utilize the device in prevent or detect mode.
Next-generation IDS/IPS have evolved in response to advanced targeted threats that can evade first-generation IDS/IPS.
When evaluating a security solution for your corporate infrastructure or home, keep in mind that internet security threats are becoming more silent and dangerous.
A layered security system that merges signature and behavior-based technologies with other tools will enable you to level the playing field against threat actors and their attack methods.
The combined functionality of the intrusion prevention system, whether network or host-based, is one tool worthy of consideration and has its critical place in the securing of corporate network infrastructures and personal computers.
- Vulnerability Scans VS Penetration Tests: What’s The Main Difference?
- How To Perform A Successful Network Vulnerability Assessment
- What Is A Red Team VS A Blue Team In Cyber Security?
- How Often Should You Perform A Penetration Test?
- What Are The Different Types Of Penetration Testing?