Intrusion Detection System (IDS)
From the picture above, I’m sure you can kind of get an idea of what we’re about to talk about – some really cool security devices. We have multiple layers of security and we already know about firewalls, content filtering, and antimalware.
What if somehow we get attacked and an intruder actually makes it into our network and our firewall has no idea of what just happened? While we have these other devices that are sitting on the inside of our network, their sole purpose is to detect and alert about attacks and to even try to stop them in the case of the IPS versus the IDS. Intrusion Detection Systems were available before Intrusion Prevention Systems. The basics of a IDS is if there is an attack on the network the IDS is going to be sitting there and analyzing traffic that passes through the network. If it sees something that is abnormal it’s going to send an alert or if we have a server that can send texts out to our security team we can be alerted that way too. There are many different ways that our IDS functions and tries to detect that there’s intruders.
One thing that’s pretty interesting is they run through a network normalization process where they learn what the normal functions of the network are like and when they see a difference they send out an alert. IDS can detect things like Trojans, and their signatures always need to be updated on IDS and IPS devices.
Intrusion Prevention System (IPS)
Now that we know what an Intrusion Detection System is let’s talk about Intrusion Prevention Systems. It has the word prevention so you can probably understand something else that the IPS does. The IPS can do everything the IDS does as well. In the above diagram we can tell a difference in these diagrams by seeing that the IPS is normally placed in line behind the firewall and in between our corporate network. Whereas the IDS sits there on the network and it doesn’t have to be in a line. This is how we set up our IPS and the reason is because we want this IPS to be an extra layer of security before internet traffic can get into our LAN. If the attacker makes it through the firewall, our IPS can still possibly help us stop the attack.
The basics of an IPS is if there’s an attacker on the internet that makes it through our firewall and the IPS catches the attack. The IPS will deny that connection. That’s what the IPS does. In addition to detecting and alerting, it will still send alerts if there’s an attack or if it notices something strange. The main difference between the IPS and IDS, is that the IPS actively defends the network, whereas the IDS just detects and sends alerts.
Host vs Network
There are two methods of intrusion systems, host and network. Host is a Host Based Intrusion Detection System or HIDs for short. HIDs runs just on a specific computer. In the world of networking, we really don’t see HIDS too often anymore. We really focus on the Network Based Intrusion Detection Systems. NIDS does the same thing as HIDS except it runs on a server.
That is the difference between IPS and IDS, and you should now have a good understanding and everything you need to know about these two devices for the network plus, so let’s do a recap. We need to know that IDS and IPS work from inside the network behind our firewall, and they’re there to catch things that make it through the firewall that our firewall does not detect. So rather than filtering on the network edge like a firewall does our IDS and IPS sit behind the firewall on the inside of the network. More specifically, the idea is to detect attackers and network anomalies and send alerts via email or text. We talked about the two methods, host and network based. IPS adds additional security by actively defending the network and stopping attacks.