What is IDS and IPS ?
IPS (Intrusion Prevention System) and IDS (Intrusion Detection Systems)
IPS and IDS systems look for traffic-related intrusions and symptoms. IPS / IDS systems would monitor unusual behaviour, abnormal traffic, malicious coding and anything that looks like an attempted intrusion by a hacker.
IPS (Intrusion Prevention System) systems are implemented inline and actually take action by blocking the attack, logging the attack and adding the source IP address to the block list for a limited amount of time; or even blocking the address indefinitely depending on the environment.Hackers participate in many port scans and address scans, with the intention of finding loop holes within organisations. IPS systems would recognize such scans and take such actions as block, drop, quarantine and log traffic. This is the underlying feature of IPS, however. IPS systems have many advanced capabilities for detecting these attacks and avoiding them.
IDS vs IPS
IDS (Intrusion Detection System) only detects an intrusion, records the attack and gives the administrator an alarm. IDS devices are not slowing down networks like IPS, because they are not inline.
You might wonder why a firm would buy an IDS over an IPS? Surely a company would want a system to take action and block such attacks instead of letting them pass and only log and alert the administrator.Okay, there are a couple of reasons; but there are two main reasons that stand out. If not fine tuned, the IDS systems will also generate false positives just like IPS.It would be very inconvenient, however, to have an IPS device that generates false positives as legitimate network traffic is blocked as an IDS only sends warnings and records the wrong attack.The second reason is that some administrators and managers don't want a system to take over and make decisions on their behalf; they'd rather get a warning and dig into the issue and take action on their own.
But that said today you will find solutions built in with both IDS and IPS capabilities. Initially, IDS can be used to see how the system functions without actually blocking anything. Once finely tuned IPS can then be switched on, and the system can be deployed inline to provide full protection.