Intrusion detection system (IDS) vs Intrusion prevention system (IPS)
IDS:
A passive system that identifies dangerous or suspicious traffic, it sends alerts but leaves the action to IPS.
IPS:
able to actively block or prevent intrusions.
The IDPS process:
1- Inspection and investigation: analyzing suspicious packets.
2- Action: packets are dropped.
3- Log/report attack.
2 types of of IDPS:
1- Network-based IDPS (NIDPS): monitors activity in an organization’s network.
2- Host-based IDPS (HIDPS): monitors activity only on a host (computer or server).
Advantages of Network-based IDPS (NIDPS):
- Can enable an organization to monitor a large network with few devices.
- is passive and causes little disruption.
Disadvantages of Network-based IDPS (NIDPS):
- Require access to all traffic to be monitored.
- Cannot analyze encrypted packets.
Advantages of Host-based IDPS (HIDPS):
- Can access encrypted information and make decisions about attacks.
- Can detect local events on host systems
Disadvantages of Host-based IDPS (HIDPS):
- Can use large amounts of disk space.
- Does not detect multi-host scanning.
2 IDPS Detection Methods:
1- Signature-based detection: detects known attack signatures.
2- Anomaly-based detection: detects abnormal activity.
