Difference Between IPS and IDS
You can place a sensor in the network to analyze network traffic in one of two ways. The first option is to put a sensor inline with the traffic, which just means that any traffic going through your network is forced to go in one physical or logical port on the sensor. At the sensor, the traffic is analyzed. Then the sensor forwards out another logical or physical interface if the packet continues its journey toward its destination. If the traffic (while on its short layover at the sensor) is identified as being malicious by the sensor, the sensor (based on the rules configured) could decide that it will not forward the packet any further and drop it. Because the sensor is inline with the network, and because it can drop a packet and deny that packet from ever reaching its final destination (because it might cause harm to that destination), the sensor has in fact just prevented that attack from being carried out. That is the concept behind intrusion prevention systems (IPS). Whenever you hear IPS mentioned, you immediately know that the sensor is inline with the traffic, which makes it possible to prevent the attack from making it further into the network. One negative about IPS is that because it is inline, if the sensor fails and you do not have an alternate path in your network, the entire network could fail as a result of the sensor having a problem. Depending on the platform, however, you may have the option to configure the sensor to “fail open,” meaning that should the sensor fail, all traffic, both good and malicious, will continue to pass through the sensor. The sensor can also be configured in a “fail close” mode, which means that, should the sensor fail, no traffic, good or malicious, will pass through the sensor. In addition, a slight additional delay occurs as traffic is analyzed and then forwarded through the inline IPS.
So, then, what is an intrusion detection system (IDS)? To understand IDS, let’s use the same sensor as we did previously, but instead of placing it inline in the network, we just send copies of the packets that are going through a network to the IDS sensor. When the packets arrive at the sensor in what is called promiscuous mode (because it is willing to look at anything that you send it), it can still analyze the traffic, and it can still generate alerts. However, because the original packet (that we have a copy of) is probably already on its way toward the destination, the sensor all by itself cannot deny the original packet from making its way further into the network. So, we could say that the IDS is detecting the attack (hence the term intrusion detection system) but is not preventing the attack. In a nutshell, that is the difference between IPS, which is inline, and IDS, which operates in promiscuous mode and is not inline but simply is analyzing copies of packets that were sent over to it (often by a switch configured to send it there). One benefit of IDS is that no delay is added to the original packet, and if the IDS fails, it does not hinder the network throughput because the IDS is not inline with the production network traffic. The corollary to this, however, is that an IDS solution cannot mitigate the effects of an attack directly because it does not have the capability to deny (prevent) malicious packets from entering the network.
Figure 17-1 shows a sensor implementation as an IDS versus an IPS. Also be aware that one physical sensor appliance with multiple interfaces could be configured as an IDS in one part of the network and as an IPS in a different part of the network.
The ability to compare and contrast the two implementation methods is important for both certification and the real world. Table 17-2 provides a side-by-side comparison.
