Security / March 5, 2018

IDS vs. IPS: What Is the Difference? Two Separate-Yet-Essential Security Measures for Modern Business

IDS and IPS are both valuable tools for protecting your network, but neither one is a complete solution on its own. Here, we’ll address the details of IDS vs. IPS, including their similarities, their differences and why both should be playing vital roles in your multilayer security strategy.

What is the best threat management system for a business network, IDS or IPS? The IDS vs. IPS question is a difficult one to answer. To start, let’s address the most obvious question: What are the main differences between IDS and IPS?

At its most basic, IPS security is focused on control, while IDS offers improved visibility – monitoring website traffic and activity throughout the network and providing administrators with a big-picture view of network security. As such, the IDS vs. IPS debate is such a close one because both are essential and because threat management isn’t about finding a single solution to every problem; it’s about layering multiple solutions in a way that offers the best protection against a variety of threats.

When it comes to protecting business networks, a single line of security simply is not enough. Layered security takes advantage of multiple security tools, each designed to defend against a specific kind of attack. Layered security works similarly to having multiple walls or fences surrounding a building, rather than relying on a single gate to protect and deter intrusion. If an attack breaches the perimeter defense, then there are still secondary, tertiary and other defenses in place, for an almost impenetrably secure system.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) security tools are two such defenses. IPS vs. IDS solutions rely on similar technology, but each fills a different function, maintains different placement in the network and defends against different kinds of attacks. To better understand this relationship, let’s review the specifics of IDS vs. IPS systems.

What Is IPS?

When breaking down the differences between IPS vs. IDS, it’s important that these complicated technical terms are as easy to understand as possible. That’s why we’ll continue on with the metaphor of the network as a building. An IPS is something like a security guard (or cybersecurity guard). It’s an active, in-network presence designed to prevent incoming attacks and stop attacks in progress. The security guard doesn’t do much to keep intruders out, but in the event that they find their way inside, the security guard has the power to stop them from doing further damage.

The IPS sits behind the firewall, directly in the communication path of any data attempting access, also known as “in-line.” An effective inline intrusion detection tool, or inline IPS, monitors all incoming traffic against known security threats. It does this through a variety of mechanisms, but the two most widely used methods are statistical anomaly-based detection and signature-based detection.

Statistical anomaly-based detection allows prevention systems to take a sample of current network traffic and then compare it against a predetermined “normal” traffic baseline. To do this, the IPS must be able to establish a behavior profile for the network from which to develop a set of standard operating parameters and looks somewhat suspicious. When incoming traffic deviates from these parameters, the system takes this as evidence of a possible attack and responds accordingly.

Alternatively, signature-based detection relies on being able to watch and  identify malicious traffic by its unique code. To do this, IPS tools keep and maintain an ever-growing database of code exploits. As known exploits breach the outer defenses, the IPS recognizes them from its database and moves to eliminate them. When the IPS encounters new exploits, it records them for future identification.

Unfortunately, both of these methodologies face the danger of false positives. Signature-based detection that incorporates vulnerability-facing signatures allows for better software protection, even against unknown exploits, but at an increased risk of misidentifying benign traffic as malicious. Likewise, anomaly based detection only looks for variations in traffic, leaving little room for legitimate variations. In either case, the end result is a loss of potentially beneficial traffic.

Of course, the IPS is just one layer, and preventing threats is just one part of the equation. Detecting threats falls to the responsibility of IDS tools.

What Is IDS?

If IPS is the security guard that takes action against incoming threats, an intrusion detection system (IDS) could be thought of as a building’s security system. The IDS is a passive security measure. A security alarm can alert security personnel when there’s a detected threat, but it cannot take direct action against the threat itself. Likewise, IDS security is limited to identifying possible cyberattacks, rather than preventing them.

To detect these threats, the IDS does not need to have an in-network presence, meaning it does not sit in the path of incoming data. Instead, IDS tools reside outside the network in an out-of-band, independent data channel. As such, these systems don’t need real-time access to data; instead, they review copies of incoming data using an external monitoring device called a network test access point (tap).

Through the tap, the IDS can examine mirrored data packets from many different points within the network. Data packet copies are compared to a library of known threats. The goal is to correctly identify malicious traffic before it can proceed further into the network.

IDS gives security engineers the power to look deep into the network without impeding the flow of network traffic. Properly used, IDS tools can help guard against a variety of threats, including policy violations, information leaks, configuration errors and unauthorized clients, servers and applications. This is all in addition to protecting against traditional viruses and Trojan-horse attacks.

However, there are some drawbacks to IDS systems that could go against it in an IDS vs. IPS debate. As the IDS uses data copies, never actually coming into contact with the original network data, it is incapable of taking direct action against threats. Instead, as the IDS identifies malicious traffic, it logs the incident and sends an alert to the network administrator. It then becomes the administrator’s responsibility to take action against the threat.

If attackers are fast enough, or if administrators don’t have the requisite experience handling the threat in question, the IDS can do very little to actually prevent damage to the user’s network.

IDS vs. IPS?

When comparing IDS and IPS, it’s important to ask: What’s the difference? IDS and IPS security can be explained as two separate layers of network security — rather than as complete, end-all security solutions in and of themselves — it hardly makes sense to try to determine which is the better type of security. In reality, the most effective solutions are those that incorporate multiple layers into a single, comprehensive security resolution. This approach is known as unified threat management (UTM).

UTM is closely associated with IDS, but integrates multiple security features. UTMs expand upon the more traditional firewall approaches to network safety. By incorporating both intrusion prevention and intrusion detection, along with other security functions, into a single, unified appliance, UTM tools allow for improved security flexibility at reduced costs.  

Rather than having to purchase and maintain multiple boxes at different points throughout the network, organizations and users can deploy a UTM solution to handle their entire network security. Effective UTM devices operate inline, and are capable of filtering, analyzing and reporting, along with load balancing and intrusion prevention. UTM solutions are designed with simplicity in mind and sometimes are not complex enough to handle certain complicated threats. At the same time, if the device fails or requires any sort of extensive maintenance, then the link will need to be disconnected, resulting in potentially damaging network downtime.

Gigamon Optimizes Network Security

IDS, IPS and even UTM solutions all have their drawbacks, but with the right tools, those drawbacks can be overlooked. As modern threat management systems adapt to combat the dangers of malicious data in motion across networks, it’s becoming clear that current solutions are simply not enough. Gigamon can change all of that.

Gigamon works with existing threat management tools. Rather than taking those tools back to the drawing board, Gigamon optimizes their capabilities, shoring up weaknesses while offering improved visibility of all incoming network traffic. In short, Gigamon makes it possible to turn every layer of an effective threat management system into an exceptional one.

The IDS vs. IPS debate asks, “What is the best threat data security management technology for a business network?” And the answer is simple: one that incorporates IDS/IPS solutions, and that has been optimized for deep visibility and superior protection, courtesy of Gigamon.

Further Reading:

Back to top