Network administrators need to employ tools to protect their network and prevent malicious actors from gaining access. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are categories of tools commonly used for this purpose. It’s important to know the difference between them, which are best for certain types of organizations, and how to maximize their effectiveness.
In this article, we’ll go over the differences between the two systems to help you decide which is best for your organization.
- Basic overview: IDS vs. IPS
- What is an IDS? Five types and their functions
- What is an IPS? Four types and how they work
- IDS vs. IPS: Similarities and differences
- Why both IDS and IPS solutions are critical for cybersecurity
Basic overview: IDS vs. IPS
An intrusion detection system is more of an alerting system that lets an organization know if anomalous or malicious activity is detected. An intrusion prevention system takes this detection a step forward and shuts down the network before access can be gained or to prevent further movement in a network.
Get the Free Pentesting Active
Directory Environments e-book
What is an IDS? Five types and their functions
An IDS monitors and detects behavior across a network and should be considered a diagnostic solution. The system, if it detects something problematic, will alert the security team so they can investigate.
The five types of IDS leverage two types of detections:
- Signature-based detection: Signature-based IDS solutions alert administrators based on pre-existing signatures that refer to a type of attack or malicious behavior. This allows for accurate and automated alerting because the system references an existing signature database.
This kind of system often looks for indicators of compromise such as scanning file hashes, traffic going to known malicious domains, malicious byte sequences, and even email subject lines that are known phishing attacks.
- Anomaly-based detection: Anomaly-based IDS solutions are considered more effective than signature-based solutions because they’re monitoring malicious or suspicious patterns of behavior. This allows them to detect new kinds of threats, which is nearly impossible for signature-based systems.
Anomaly-based detection is often looking for behavior that differs from an established baseline. For example, if you have set normal working hours for employees, an anomaly-based IDS may flag a login occurring over the weekend. The system may also alert you based on the amount of traffic connecting to your network, or new devices being added without the right authorization.
IDS types vary based on where they’re monitoring threats and how they’re detecting them.
1. Network intrusion detection systems (NIDS)
A network intrusion detection system will monitor traffic through various sensors — placed either via hardware or software — on the network itself. The system will then monitor all traffic going through devices across the multiple sensor points.
2. Host intrusion detection systems (HIDS)
A HIDS is placed directly on devices to monitor traffic, giving network administrators a bit more control and flexibility. However, this can become burdensome depending on the organization’s size. If an organization is only leveraging HIDS, the company would have to account for every new device added within the organization, leaving room for error while also taking up a lot of time.
3. Protocol-based intrusion detection systems (PIDS)
A protocol-based IDS is often placed at the front of a server and monitors traffic flowing to and from devices. This is leveraged to secure users browsing the internet.
4. Application protocol-based intrusion detection systems (APIDS)
An APIDS is similar to a protocol-based system but monitors traffic across a group of servers. This is often leveraged on specific application protocols to specifically monitor activity, helping network administrators better segment and classify their network monitoring activities.
5. Hybrid intrusion detection systems
Hybrid IDS solutions provide a combination of the above types of intrusion detection. Some vendors' offerings cross multiple categories of IDS to cover multiple systems in one interface.
What is an IPS? Four types and how they work
An IPS has the same functionality as IDS systems in terms of detection but also contains response capabilities. An IPS solution has more agency and takes action when a potential attack, malicious behavior, or an unauthorized user is detected.
The specific functions of an IPS depend on the type of solution, but in general, having an IPS in place is helpful to automate actions and contain threats without the need for an administrator.
1. Network-based intrusion prevention system (NIPS)
A NIPS monitors and protects an entire network from anomalous or suspicious behavior. This is a broad-based system that can be integrated with additional monitoring tools to help provide a comprehensive view of an organization’s network.
2. Wireless intrusion prevention system (WIPS)
WIPS are also quite common, often monitoring any wireless networks owned by an organization. This type is similar to a NIPS but is localized to wireless networks for a more targeted detection and response.
3. Host-based intrusion prevention system (HIPS)
HIPS are often deployed on key devices or hosts that an organization needs to secure. The system will then monitor all traffic flowing through and from the host to detect malicious behavior.
4. Network behavioral analysis (NBA)
As opposed to NIPS, an NBA solution will look for anomalous behavior within patterns of a network itself, making it key for detecting incidents such as DDoS attacks, behaviors against the policy, and other types of malware.
IDS vs. IPS: Similarities and differences
An IDS and an IPS are quite similar, particularly because of their similar detection process. However, their differences will dictate whether an organization opts for one over the other.
IDS and IPS similarities
Across the two solutions, you can expect a similar level of:
- Monitoring: Both systems monitor networks, traffic, and activity across devices and servers, varying only in how targeted or broad their capabilities are.
- Alerting: Upon discovering a potential threat, only an IPS will take the next required step but both solutions first alert you to the discovery and associated action.
- Learning: Depending on the detection system used by either an IPS or IDS system, both will likely learn to spot suspicious behaviors and minimize false positives.
- Logging: Both systems will keep an account of what’s monitored and what action has been taken, so you can review performance accordingly.
IDS and IPS differences
Depending on how resourced your security team is, the differences between the systems can be very important:
- Response: This is the most important difference between the two systems. An IDS will stop at the detection phase, leaving you and your department free to decide what action to take. An IPS, depending on the settings and policy, will take action to try and contain the threat or prevent unauthorized users from embedding themselves further into your network.
- Protection: Because of the differences listed above, an IPS does offer more protection because it acts automatically, leaving little time for an attacker to continue compromising an organization.
- Impact: As a side effect of that automation, false positives may negatively impact your organization. An IPS may shut down your network or stop traffic to and from a certain device in the name of precaution and security — even if the threat didn’t require such drastic action (or the alert was a false positive).
Why both IDS and IPS solutions are critical for cybersecurity
Organizations shouldn’t necessarily consider choosing one solution over another; both are extremely helpful and many vendors offer an intrusion detection and prevention system, or IDPS, as a solution that provides the benefits of both systems.
Detection and response capabilities have proven to be crucial for organizations to not only know when an attack has reached their perimeter but also to act accordingly. By employing effective detection and response solutions, companies are catching bad actors and reducing dwell time, minimizing the impact these actors can have.
Security leaders should have an understanding of their organization’s needs as well as a list of what data requires monitoring before choosing the right IDS and/or IPS solution. They should also take stock of their own security department to determine whether they want an automated solution, they have an agency to react accordingly, or they’d prefer to have a hybrid approach.
We recommend leveraging both systems or a combination IDPS for effective protection. As organizations grow and scale, additional IDS/IPS solutions may be brought on to account for additional servers, networks, or devices.
For a deeper look at network security and how you can enhance it, Varonis Edge has solutions to explore.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.
Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers information security, tech and finance, consumer privacy, and B2B digital marketing. You can see his writing portfolio on https://josueledesma.com/Writing-Portfolio