A common notion is that an Intrusion Prevention System (IPS) is nothing more than an Intrusion Detection System (IDS) deployed in-line with blocking capabilities. This paper explains why that notion is incorrect.
Although IPS and IDS both examine traffic looking for attacks, there are critical differences. IPS and IDS both detect malicious or unwanted traffic. They both do so as completely and accurately as possible, at the speed of the network. But an IPS is an in-line device designed for automatic enforcement of network policy, whereas an IDS is an out-of-band device designed as a forensic tool for security analysts.
This difference in deployment and utility has two direct consequences:
it changes the emphasis on device design requirements, and
the methods hackers use to attack the devices.
Not surprisingly, these changes lead to different engineering designs and technology that may be ideal for IDS but may be sub-optimal for IPS, or vice versa.
IPS and IDS share four basic requirements:
Stability
Deterministic Network Performance
Minimize False Negatives
Minimize False Positives
Although these requirements appear to be similar, the differences between IPS and IDS deployment and purpose cause substantial distinctions in prioritizing the requirement, the meaning of the requirement, and implementation options available for meeting the requirement. Read this paper to learn more about the important differences between IDS and IPS.
Oracle Research Library
