Every cyberattack poses unique challenges: one-size-fits-all security solutions are rarely effective. Two particular methods are sometimes compared as alternative solutions for fighting against threats: Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
Jun 12, 2020 · 4 min read
The two systems share many similarities and can be equally useful, depending on the capabilities and specific needs of the company or website admins. So, what are IDS and IPS, and is one better than the other?
IDS scan incoming traffic for potential threats and cyberattacks. Using various detection methods (more on these later), they check for any suspicious activity that might threaten the networks or devices they cover. Having detected a suspicious or forbidden action, the system will then send a report to a website or network admin.
IPS take a more proactive approach and will attempt to block incoming traffic if they detect a threat. This process builds on the same detection mechanisms as IDS, but backs them up with proactive prevention measures.
An IDS is essentially a lookout who spots the incoming enemy and alerts its superiors. The lookout itself is only there to scan for threats, not to neutralize them. It’s a system designed to work in tandem with human admins, who can then respond effectively to each unique threat. Most IDS fall into these two categories:
It’s important to understand that these systems are not mutually exclusive. While NIDS can offer great network-wide security enhancements, HIDS provides device-specific protection. Together, these two approaches can offer excellent tools to improve security at all levels.
There are two detection strategies that are primarily used by IDS. Both have their own advantages and drawbacks, and their utility will largely depend on context.
Both systems have their pros and cons. Anomaly-based detection is much more likely to mistake non-malicious behaviour for a threat, because anything that deviates from its understanding of “normal” will set off the alarm. It’s not that big a problem if you use an IDS, of course, since it would simply notify a human being rather than block the traffic altogether, as an IPS would.
Signature-based systems lack the fluidity and machine-learning capabilities that an anomaly-based IDS benefits from. Any database of threats is finite, and new attack patterns emerge continually. If the list isn’t updated, the system will not be able to pick up on the threat.
So, when choosing the best detection method for their IDS, companies running traffic-heavy websites should lean towards the anomaly-based option.
The simplest way to understand an IPS is to see it as an IDS with an additional (and potentially game-changing) feature: active prevention.
When it comes to similarities, most IPS can be classified along the same lines as IDS into network-wide and host-specific. Also, an IPS detects threats in much the same way as an IDS, using either a signature blacklist or an anomaly-based method.
The main distinction between the two systems becomes clear once an IPS has detected a potential threat. Instead of notifying a human admin, it immediately launches a preventative process, blocking and restricting the actions of whoever is sending the suspicious traffic.
Depending on the software, an IPS can reject the suspicious data packet or engage the network's firewall. In drastic cases, it can cut the connection altogether, making the website or application inaccessible to whomever it considers to be a threat.
At first glance, IPS may seem a lot more effective than IDS. Why would you want to just detect incoming cyberthreats when you could automatically prevent them?
One issue with IPS is that of false positives. This doesn’t happen often, but when it does the system will not respond with the same nuance as a human admin would. Once detected, the perceived threat will be blocked immediately, even if there’s been a mistake. This may result in website functions being disabled or removed for non-malicious users without any human supervision.
An IDS will not block an attack or a suspicious packet, but will instead recognize it and alert website administrators. While this system might not be the fastest, it allows human admins to make the final decision on how to prevent a threat. This might be a better strategy than relying on a fallible automated system as the sole arbiter of the website traffic.
To be fair, IPS software is improving and the number of false positives is dropping. So, the system could be a good solution for websites that rely on a high volume of undisrupted traffic.
Tempting as it is to draw absolute conclusions, context is the deciding factor when it comes to choosing one solution over the other.
Each company and user will have its own security needs and face different threats and challenges. An IPS might be suitable for one company's internal network, but a large website with multiple servers might find IDS to be a better option.
Weigh up the merits of each system and see how they could play a role in meeting your own security needs. A tailored solution is always the most effective.
Want to read more like this?
Get the latest news and tips from NordVPN