The Ins and Outs of IDS/IPS

There are critical differences between IDS and IPS that can greatly impact your network security strategy. Intrusion Detection Systems (IDS) monitor network traffic and report on anomalous traffic that could be potentially malicious. Intrusion Prevention Systems (IPS) monitor network traffic and actively, immediately block malicious traffic. It is important that the right system be deployed for the job at hand. It is also important that the connection method be compatible with the job at hand.


Intrusion Detection Systems

IDS monitors network traffic. Monitor being a key word here. A copy of network traffic is sent to the monitoring tool and analyzed. The analysis is a comparison of monitored traffic to known malicious threats. These threats can be pre-programmed security policy items or known malicious software used to gain access to servers or other network equipment. A few timely examples might be ransomware attacks or phishing emails that attempt to bait employees to click links that will embed malicious software.


IDS tools do not look at live traffic and they do not take any direct action. IDS is strictly a detection device to alert network managers of potential cyber security threats. Human interaction is required to read the reports and take appropriate action.


One might note that given the volume of network traffic and the speed at which traffic travels through the network, much damage could be done by the time there is physical intervention based on IDS reports. This is the reason that IDS is best used as a post mortem diagnostic tool and not as a pre-emptive security tool.


Intrusion Prevention Systems

IPS control systems that are designed to analyze live traffic and block malicious traffic based on pre-set security policies and known threats. The big difference here is that IPS is connected on live links and network traffic flows through the IPS tool in real time. IPS has the responsibility to accept or block packets based on the policies that are set in the system.


Unlike IDS, there is no human intervention required to stop threats from attacking network components. IDS blocking takes place in real time. For this reason, IPS is physically located between the world and the network. It is deployed at the entry point to the network where the firewall is located. Some companies have integrated firewall and IPS functionality called Next Generation Firewall (NGFW).


Deployment Differences

It is very important to understand the difference in deployment of IPS and IDS.


IDS is a monitoring system that uses a copy of the network packets presented from a passive TAP which is connected to the live link. A passive TAP connects and protects. The TAP has integrated fail-safe technology that keeps network traffic flowing if the monitoring tool goes out of service for any reason. Link to TAP to IDS traffic flows like this:

  • Link traffic flows into the TAP

  • TAP makes a mirror copy of the live data

  • Live data immediately continues out of the TAP back into the network

  • TAP does no live packet processing

  • A mirror copy of network packets is then passed on to the IDS tool for analysis


IPS is a control system that takes in live data, analyzes the data for unauthorized or dangerous packets and actually blocks that traffic from accessing network resources. Therefore, IPS does not use a copy of live packets. Rather, IPS is integrated in-line with live traffic and communicates directly with the network in real time. It is possible, but not advisable, to connect IPS systems directly to network links. Directly connecting IPS systems in-line can impact reliability and availability of network resources. If the IPS system becomes unavailable, the live link will not be able to pass traffic. Therefore, a unique type of TAP is used to safely connect IPS systems to live links. Link to TAP to IPS traffic flows like this:

  • Link traffic flows into the TAP

  • Live traffic is immediately passed to the IPS system

  • IPS system analyzes traffic and passes all traffic that passes policy back to the TAP

  • TAP immediately passes authorized traffic back into the network in real time

  • Packets that do not pass policy are flagged and blocked from the return path back into the network.

  • If the IPS tool becomes unavailable the TAP can by-pass the IPS tool and keep network traffic flowing.

  • In high-availability, highly secure networks, the TAP and IPS combination can be deployed redundantly providing both high availability and maximum security.


Network Critical SmartNA Portfolio

Network Critical provides passive TAPs for IDS tools as well as in-line TAPs for IPS tools. There are many options for deployment from individual TAPs to flexible modular chassis systems for large complex networks. Beyond these TAP options, the company also provides a highly featured line of Packet Brokers designed to help manage high speed, multi-link traffic for large organizations like cellular networks, service providers and government systems.


Today more than ever, cyber security is a critical component of network design strategy