Intrusion detection vs. intrusion prevention: the beginner's guide to IPS and IDS

Intrusion detection vs. intrusion prevention: the beginner's guide to IPS and IDS

·

7 min read

I think you'll agree with me when I say that the words "database" and "intrusion" are not words you want to hear in the same sentence. Databases house critical information that needs to be kept private for our businesses and our customers - we can't have criminals exploiting gaps in our security and accessing this information. ​

Fortunately, we can take steps to stop intruders from getting in and catching them if they manage to sneak in anyway. Let's learn about these methods and how we can put them to good use to protect our valuable data. We'll explore two systems - the IPS and the IDS - and take a look at how they compare and what you should think about when implementing them. ​

Part 1: The Intrusion Prevention System (IPS)

​ IPS stands for "intrusion prevention system." The core aim of this system is to, as its name suggests, prevent intrusions to your applications, networks, and other subjects. Fortinet is a vendor specializing in the hardware and software to set this up. ​

Think of the IPS as a heavily secured fortress with many skilled security guards protecting it. Inside that fortress sits your application, database, or any system dealing with data. In this case, the security guards guarding the perimeter of the fortress usually have work to do – manning posts and checking the surroundings to be sure that only certain people can enter and exit the fort. So the security guards will be active, even if that work sometimes might seem minuscule. ​

How Does an IPS Work?

​ An IPS is usually placed behind a Web Application Firewall (WAF), or a similar measure since an IPS functions as an "identifier:" it identifies suspicious activity, and once it determines it is a threat, it notifies responsible people and marks the threat as "acted on". For example, Palo Alto Networks has a highly configurable IPS that actively manages anomalous traffic. ​

Once the threat is successfully marked as "acted on," it is up to the responsible administrator to decide what they will do next. Usually, administrators will squash the threat or inform responsible security engineers about the flaw and let them fix it. Once the flaw is resolved, an application can resume working as intended – most likely, your customers wouldn't even notice that something happened. Cool, huh? ​

Types of Intrusion Prevention Systems

​ Usually, intrusion prevention systems are categorized into types, and each might be useful for a specific purpose: ​

  1. Host-based Intrusion Prevention Systems defend a single server. Fail2Ban blocks IPs that are making too many SSH attempts.
  2. Network-based IPS rely on the intel gathered by deploying devices that deal with the monitoring and analyzing traffic flowing through a given network.
  3. Wireless IPS are mostly installed with Wi-Fi networks. They help monitor a given Wi-Fi network for unauthorized access to any Wi-Fi endpoint.
  4. Network Behavior IPS usually monitor the network to identify threats based on the behavior of the network. Threats include applications that generate unusually high traffic. Vendors like RiskIQ offer intelligent network protection. ​

There are time-related costs as well.As you can see, people usually choose intrusion prevention systems based on what they need to protect. ​

Do You Need an IPS?

​ By now, you might have another question - do you need an IPS at all? You might need an IPS if: ​

  1. You have security engineers that frequently remind you that your networks, web applications, or other systems dealing with information are not adequately protected. This may also come in the form of white hat hackers emailing your company or security audit software returning poor score.
  2. You have already tried similar solutions (intrusion detection systems, web application firewalls, etc.) and want to try something else in the security space as well because your current solutions are not easy to use.
  3. You might have suffered a data breach and wonder how best to protect your networks, applications, or similar things to prevent a data breach from happening in the future. ​

Part 2: The Intrusion Detection System (IDS)

​ IDS stands for "intrusion detection system." The core aim of this system is to detect any kind of intrusion and leave further actions to your imagination. ​

In its simplest form, an IDS is a system that works to detect attacks aimed at various kinds of applications. Companies usually turn to an IDS once they sense a particular security-related threat. They may feel that an intrusion detection system would serve them better than the upfront hiring of security-related staff since staff needs to be shown around and trained. ​

People will turn to an IDS when they need to stop an attack directed at an application. Since systems are (usually) better at detecting things than human beings are, they can enhance your ability to detect attacks. Or at least help you know what to ask for when hiring information security-related ninjas. ​

How Does an IDS Work?

​ Most intrusion detection systems work similarly to web application firewalls. They catch either:​

  1. Flags (so-called "signatures") of known attack vectors, or
  2. Suspicious and possibly malicious activity by looking at patterns of deviation from "normal" traffic. ​

An IDS usually looks for anomalies in traffic, packets, or behavior that matches specific patterns relevant to malicious software. If your network is on Tailscale for example, you can send its logs to an IDS for analysis. Threat detection in intrusion detection systems can be usually classified into two types, those being:

  1. Signature-based detection and
  2. Behavior-based detection. ​

As its name suggests, signature-based detection detects all malicious behavior by looking at the "signatures" of malicious activity. In contrast, behavior-based detection goes a step further and tries to identify malicious attacks by looking at their history. In either approach, an IDS identifies what each specific process is trying to achieve in your system, and if the result is thought to be malicious, it blocks the request altogether. Crowdstrike and Ossec are security companies which comparable intrusion detection software. ​

To interoperate with an IDS in your daily development you can setup bastion hosts on cloud networks which give you a nice blend of access and security. ​

IDS vs. IPS Technical Differences

​ Here are some of the differences between the two systems at a glance: ​

  1. Intrusion detection systems simply detect threats but leave all of the action up to whoever is administering the detection system in the first place. Nothing will be done if the person who administers the system elects to do nothing. On the other hand, if the person who monitors the system chooses to ban everyone involved in the incident, everyone will be barred from accessing the system altogether. In contrast, intrusion prevention systems work to detect and deter threats targeting your applications. The way an IPS prevents threats heavily depends on how it is configured.
  2. An intrusion prevention system might be, ironically, more "intrusive." At least in the sense that it might receive real-time traffic from your application so it can prevent possible threats. On the other hand, an IDS would simply receive "older" (not real-time) traffic instead.
  3. These systems require upgrades from time to time, but an IPS needs to be upgraded more frequently due to the changing nature of threats.
  4. Placement – an IDS should be placed after a firewall installment, while an IPS would work well even when placed before it. The core reason why is that the IDS, in this case, would detect threats that bypassed the firewall – those that were stopped by it would not be blocked.
  5. Both an IDS and an IPS can detect zero-day attacks (attacks that are not yet known), but only an IPS would be able to prevent it. ​

If you are serious about protecting your systems, an IDS or an IPS will get you far. Combine both of those with a firewall, and you have got yourself a pretty strong line of defense.

Lukas is an ethical hacker, a MySQL database administrator, and a frequent conference speaker. Since 2014, Lukas has found and responsibly disclosed security flaws in some of the most visited websites in Lithuania and abroad including advertising, gift-buying, gaming, hosting websites as well as some websites of government institutions. Lukas runs one of the biggest & fastest data breach search engines in the world: BreachDirectory.com and frequently blogs in multiple places educating people about information security and other topics. He also runs his own blog over at lukasvileikis.com.