Inside Out Security Blog   /  

IDS vs. IPS: What is the Difference?

IDS vs. IPS: What is the Difference?

Intrusion Detection Systems (IDS) analyze network traffic for signatures that match known cyberattacks. Intrusion Prevention Systems (IPS) also analyzes packets, but can also stop the packet from being delivered based on what kind of attacks it detects — helping stop the attack.

How Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) Work

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are both parts of the network infrastructure. IDS/IPS compare network packets to a cyberthreat database containing known signatures of cyberattacks — and flag any matching packets.

Get the Free Pentesting Active
Directory Environments e-book

The main difference between them is that IDS is a monitoring system, while IPS is a control system.

IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

  • Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
  • Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.

Many IDS/IPS vendors have integrated newer IPS systems with firewalls to create a Unified Threat Management (UTM) technology that combines the functionality of those two similar systems into a single unit. Some systems provide both IDS and IPS functionality in one unit.

The Differences Between IDS and IPS

venn diagram on ids vs ips

Both IDS/IPS read network packets and compare the contents to a database of known threats. The primary difference between them is what happens next. IDS are detection and monitoring tools that don’t take action on their own. IPS is a control system that accepts or rejects a packet based on the ruleset.

IDS requires a human or another system to look at the results and determine what actions to take next, which could be a full time job depending on the amount of network traffic generated each day. IDS makes a better post-mortem forensics tool for the CSIRT to use as part of their security incident investigations.

The purpose of the IPS, on the other hand, is to catch dangerous packets and drop them before they reach their target. It’s more passive than an IDS, simply requiring that the database gets regularly updated with new threat data.

*Point of emphasis: IDS/IPS are only as effective as their cyberattack databases. Keep them updated and be prepared to make manual adjustments when a new attack breaks out in the wild and/or the attack signature isn’t in the database.

Why IDS and IPS are Critical for Cybersecurity

what ids and ips cover

Security teams face an ever-growing threat of data breaches and compliance fines while continuing to struggle with budget limitations and corporate politics. IDS/IPS technology covers specific and important jobs of a cybersecurity strategy:

  • Automation: IDS/IPS systems are largely hands-off, which makes them ideal candidates for use in the current security stack. IPS provides the peace of mind that the network is protected from known threats with limited resource requirements.
  • Compliance: Part of compliance often requires proving that you have invested in technologies and systems to protect data. Implementing an IDS/IPS solution checks off a box on the compliance sheet and addresses a number of the CIS Security controls. More importantly, the auditing data is a valuable part of compliance investigations.
  • Policy enforcement: IDS/IPS are configurable to help enforce internal security policies at the network level. For example, if you only support one VPN, you can use the IPS to block other VPN traffic.

Varonis DatAlert complements IDS/IPS: while network security is critical for protection from data breaches — and IDS/IPS solutions fill that role perfectly — Varonis monitors real-time activity on data, which is a critical layer to any cybersecurity strategy.

When a new ransomware attack breaks out the IDS/IPS might not have the signatures ready to prevent the attack at the network level. Varonis, however, not only includes signature-based ransomware detection, but also recognizes the characteristics and behavior of a ransomware attack — multiple files modified in a short time for example — and automatically triggers an alert to stop the attack before it spreads.

Want to see how it works? Get a 1:1 demo to see how Varonis complements your IDS/IPS for a strong cybersecurity strategy.