IDS vs IPS: Which is safer?
5 min. czytania
Every cyberattack poses unique challenges: one-size-fits-all security solutions are rarely effective. Two particular methods are sometimes compared as alternative solutions for fighting against threats: Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS).
The two systems share many similarities and can be equally useful, depending on the capabilities and specific needs of the company or website admins. So, what are IDS and IPS, and is one better than the other?
IDS vs IPS
- Intrusion Detection System (IDS)
IDS scan incoming traffic for potential threats and cyberattacks. Using various detection methods (more on these later), they check for any suspicious activity that might threaten the networks or devices they cover. Having detected a suspicious or forbidden action, the system will then send a report to a website or network admin.
- Intrusion Prevention Systems (IPS)
IPS take a more proactive approach and will attempt to block incoming traffic if they detect a threat. This process builds on the same detection mechanisms as IDS, but backs them up with proactive prevention measures.
How do Intrusion Detection Systems work?
An IDS is essentially a lookout who spots the incoming enemy and alerts its superiors. The lookout itself is only there to scan for threats, not to neutralize them. It’s a system designed to work in tandem with human admins, who can then respond effectively to each unique threat. Most IDS fall into these two categories:
- Network Intrusion Detection System (NIDS): A NIDS monitors network traffic for any potential threats, without focusing on one device. This is the preferred system for administrators running a large ecosystem of connected hardware or applications; with a NIDS, they can cast a wider net.
- Host Intrusion Detection System (HIDS): This approach is much more specific than NIDS. Unlike its counterpart, an HIDS focuses only on a single “host”, a device like a computer or a server. Besides monitoring incoming traffic the hardware receives, it also scans the software on that device for any unusual activity.
It’s important to understand that these systems are not mutually exclusive. While NIDS can offer great network-wide security enhancements, HIDS provides device-specific protection. Together, these two approaches can offer excellent tools to improve security at all levels.
Detection methods
There are two detection strategies that are primarily used by IDS. Both have their own advantages and drawbacks, and their utility will largely depend on context.
- Anomaly-based systems operate on a predetermined understanding of “non-suspicious” network activity. This means that during the software installation, admins define the rules for “normal” activity, thus allowing the system to “learn” what normal is. Once an anomaly-based system has defined what would be considered “normal” user traffic, it can compare behaviors and detect when they become anomalous.
- Signature-based systems rely on a preset database of known threats and the behaviors associated with them. A signature-based IDS will scan each piece of incoming traffic and compare it with its “blocklist”. That list could contain anything from suspicious data packets associated with a DDOS attack to email subject lines previously linked to malware.
Both systems have their pros and cons. Anomaly-based detection is much more likely to mistake non-malicious behavior for a threat, because anything that deviates from its understanding of “normal” will set off the alarm. It’s not that big a problem if you use an IDS, of course, since it would simply notify a human being rather than block the traffic altogether, as an IPS would.
Signature-based systems lack the fluidity and machine-learning capabilities that an anomaly-based IDS benefits from. Any database of threats is finite, and new attack patterns emerge continually. If the list isn’t updated, the system will not be able to pick up on the threat.
So, when choosing the best detection method for their IDS, companies running traffic-heavy websites should lean towards the anomaly-based option.
How do Intrusion Prevention Systems work?
The simplest way to understand an IPS is to see it as an IDS with an additional (and potentially game-changing) feature: active prevention.
When it comes to similarities, most IPS can be classified along the same lines as IDS into network-wide and host-specific. Also, an IPS detects threats in much the same way as an IDS, using either a signature blocklist or an anomaly-based method.
The main distinction between the two systems becomes clear once an IPS has detected a potential threat. Instead of notifying a human admin, it immediately launches a preventative process, blocking and restricting the actions of whoever is sending the suspicious traffic.
Depending on the software, an IPS can reject the suspicious data packet or engage the network’s firewall. In drastic cases, it can cut the connection altogether, making the website or application inaccessible to whomever it considers to be a threat.
Differences between IDS and IPS
At first glance, IPS may seem a lot more effective than IDS. Why would you want to just detect incoming cyberthreats when you could automatically prevent them?
One issue with IPS is that of false positives. This doesn’t happen often, but when it does the system will not respond with the same nuance as a human admin would. Once detected, the perceived threat will be blocked immediately, even if there’s been a mistake. This may result in website functions being disabled or removed for non-malicious users without any human supervision.
An IDS will not block an attack or a suspicious packet, but will instead recognize it and alert website administrators. While this system might not be the fastest, it allows human admins to make the final decision on how to prevent a threat. This might be a better strategy than relying on a fallible automated system as the sole arbiter of the website traffic.
To be fair, IPS software is improving and the number of false positives is dropping. So, the system could be a good solution for websites that rely on a high volume of undisrupted traffic.
| IDS | IPS | |
|---|---|---|
| Alerts admins to potential intrusions |  |  |
| Tries to prevent intrusions | | |
| False positives can cause disruption | | |
| Relies on human admins | | |
| The best option for sites with multiple servers | | |
| The best option for internal networks | | |
Context is everything
Tempting as it is to draw absolute conclusions, context is the deciding factor when it comes to choosing one solution over the other.
Each company and user will have its own security needs and face different threats and challenges. An IPS might be suitable for one company’s internal network, but a large website with multiple servers might find IDS to be a better option.
Weigh up the merits of each system and see how they could play a role in meeting your own security needs. A tailored solution is always the most effective.
