IDS vs IPS
There are a lot of acronyms in cybersecurity, but these two are quite important and it's worth knowing what they are along with their differences. IDS's and IPS's can truly help your organization defend against threats and make you ready to react quickly if an event does occur.
IDS - Detection
In cybersecurity, IDS stands for an Intrusion Detection System. The key word here is detect. When an intrusion occurs, the IDS can send some sort of notification or alert so that your team can become aware of the situation, inspect the event, and decide whether you need to act or if it was just a false alarm. There are a good number of IDS's out there and this article doesn't serve as a list of which ones are better than others, but there are plenty of those out on the web. Just to list a few common free IDS, there's Bro/Zeek, and the Security Onion. Each have a different layout and a few different features. But they all have the main feature of being able to set parameters where if they're met, a notification will be triggered. Some alerts may be default with the program or device and you just point the alert in the direction of your team's email or a phone number to message. For example, let's say you need to utilize a port like 445 for business use with a partner, but you don't want anyone else external accessing that port. You could set up a rule that if anyone other than the specific IP address accesses port 445, send an email to [email protected].
领英推荐
IPS - Prevention
Very similar to IDS, the acronym IPS stands for Intrusion Prevention System. When an intrusion occurs, the IPS will take action to try and stop it from fully entering or from taking any further action. There are also a number of IPS's available. Two popular IPS's are Snort, and Cisco Firepower. Imagine that same scenario above about using port 445 for business needs from a single IP. In that same type of network environment but now using an IPS, we could set up a similar rule. The difference is this time when the IPS sees traffic from any other IP than the one designated, it will either record that IP and block it, or shut down port 445 to stop the traffic. This method would be more ideal as people may not always check their email in a timely fashion, or they could be held up in the middle of a meeting or separate event. What if the team wasn't able to respond to the IDS's alert for several hours? Who knows what havoc could happen during that time. Whereas with an IPS, if the intrusion meets the required trigger matches, it could be stopped essentially while it's starting.
Conclusion
Both IDS and IPS can be an essential tool for your security team. The ability to detect or prevent intrusions while they happen is something that truly can't be overlooked. There's nothing worse than a threat being in your network and you not knowing it's there. Better to stop it at the door of your network.