Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are often conflated, but, while they both monitor for malicious traffic, they do serve different purposes in your security suite. When incorporated in a managed cloud solution, both options can be used by your MSP to fully protect your infrastructure. In this insight, we review how each system works, what the differences are, and how management can optimise the benefits of each.
What is an Intrusion Detection System (IDS)
An IDS is software used to monitor a network for malicious activity or policy violations. Suspicious activity the IDS monitors for can include ‘signatures’ of known attacks or behaviours, such as traffic going to a malicious domain, or ‘anomalies’, such as a network login from an unexpected location, or sudden change in traffic. If any issues are detected, the system automatically reports these through an event management system, to be picked up by either your in-house IT team, or your provider, depending on your management setup. The issue can then be addressed and mitigated.
There are two main classifications of IDS: network intrusion detection systems, which analyse incoming network traffic, and host-based intrusion detection systems, which monitor operating system files. All types of IDS act as a visibility tool for your systems, alerting you to any potential issues.
What is an Intrusion Prevention System (IPS)
An IPS is a network security tool, taking the form of either physical hardware or software, which detects and prevents threats. An IPS detects threats and vulnerabilities in a similar way to an IDS, but goes a step further in protecting your infrastructure. Vulnerabilities in a network can be exploited by attackers to gain access – an IPS detects and patches vulnerabilities before they are exploited, blocking attacks while a fix is implemented.
An IPS will be ‘tuned’ to your needs to ensure it blocks the correct traffic – if it is not correctly configured there is a risk of either blocking legitimate traffic, or missing threats. An IPS is a control tool, assessing and controlling traffic to protect your systems.
What is the difference between an IDS and an IPS?
IDS and IPS both monitor your network for issues. While the two are often conflated, and there can be some overlap in function, there are differences in how they operate and how they are used.
The primary difference is that an IDS is passive, monitoring for and reporting threats, whereas an IPS actively acts on and blocks malicious traffic. An IDS provides you with visibility over your infrastructure, but the information it provides needs to be acted on – if you do not act on the information it gives you, it will not improve your security. An IPS automatically acts on the threats it detects, actively protecting your network.
How does management maximise the benefits of IDS and IPS?
An IDS is only effective if the information it gives is effectively acted upon. When this responsibility to act falls on your in-house team, who may have a full workload already, or do not have the specific expertise in the subject, this can lead to threats being overlooked, and actions taken slowly or not at all. With an MSP, expert engineers will oversee your IDS, monitoring for any threats and acting swiftly to defend your infrastructure.
An MSP can configure your IPS to cater to your traffic requirements, ensuring it does not either block legitimate traffic, or miss threats. Correct configuration maximises the benefits brought by the system.
Both IDS and IPS allow for continuous improvements in the base security of your applications or infrastructure. Your MSP can use the information and results from the systems to make ongoing adjustments, optimising the protection provided.
Should you use IDS or IPS?
There is no single answer to which system is best, as it will depend on your own individual needs and setup.
As IDS only detects threats, it requires additional input to mitigate these. If you have the resources to act on threats detected, or are outsourcing this element to an MSP, IDS can be an efficient solution to monitor your network. If you do not have the resources to act on the information the system provides, it will not significantly improve your security.
IPS however is a more advanced and comprehensive solution which detects and acts on threats. When configured correctly, it will block threats automatically, proactively defending your infrastructure. For the maximum benefits of both visibility and control, IPS may be better suited to your needs.
Protect your IT infrastructure
We offer both IDS and IPS as part of our full-stack security suite. Our experts can advise you on how best to protect your IT infrastructure – fill out our contact form today and we will be in touch.