IDS and IPS explained

IDS : Intrusion Detection Systems.

An Intrusion Detection System (IDS) is a system that passively monitors the traffic on the network (by making a copy of the traffic). Once It detects a threat, it alerts and notifies the security team for further action.

How does an IDS work :

An IDS uses two methods of detection:

• Signature based detection: it detects an attack by comparing the traffic to an existing database of signatures that refers to a type of attack or malicious behavior. When a match is found, the IDS raises an alert.
• Anomaly based detection: which detects anomalies by monitoring the behavior of the traffic, it is particularly effective against new attacks that are not added to the signatures’ database yet.

Types of IDS:

There two main types of IDSs :?

• Network intrusion detection systems (NIDS): it is placed within the company’s LAN, and examines a copy of all the traffic from all the devices of the network.
• Host intrusion detection systems (HIDS): it is deployed at the endpoint level and monitors the activities on that host (running process, resource consumption, …)? to identify threats (like viruses, Trojan horses ..)

IPS : Intrusion Prevention Systems.

Just like an IDS, an IPS monitors and analyzes the traffic on a network to detect a threat. However, it goes a step further by taking to appropriate security measure to stop the threat.

How Does an IPS Work?

An IPS monitors network traffic in real-time and employs various security measures to counter identified threats. These measures can include:

• Traffic Blocking: Preventing traffic from specific sources that are deemed suspicious.
• Port Blocking: Shutting down access to certain ports that might be exploited.
• Packet Dropping: Discarding malicious packets to prevent them from reaching their intended destination.
• Alerting and Reporting: Notifying the appropriate personnel about detected threats and actions taken.

IPS automates actions to contain certain threats without the need of intervention from the security team.

One major difference between the IDS and the IPS, is that the IPS analyzes the original traffic instead of making a copy, this means the traffic goes through the IPS.

Types of IPS:

• Network Intrusion Prevention Systems (NIPS): it analyzes the network traffic while comparing it to a database of attacks’ signatures, once it detects an attack it takes the necessary measures to stop it.
• Host Intrusion Prevention Systems (HIPS): it analyzes the traffic going through and from the host to detect malicious behavior.

However, it's important to note that IPS may occasionally generate false positives, inadvertently blocking legitimate traffic due to its proactive nature.

By: Karim Belhadj

#cybersecurity #networking #network #IPS #IDS #security