Chapter 21. Understanding IDSs and IPSs

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are important tools that offer a bird’s eye view of your network activity. Unlike endpoint-focused controls like antivirus software, which operates on individual devices, an IDS or IPS monitors the entire network. By not depending on end devices, you sidestep the risk that a potentially compromised device could undermine your checks, thereby maintaining the integrity of your detection and alerting mechanisms.

Furthermore, IDSs and IPSs can highlight activities that endpoint security tools might overlook. For instance, certain legitimate file-sharing activities wouldn’t raise eyebrows from an antivirus solution; however, if this activity involved your financial database server, it should certainly be flagged for investigation.

The difference between an IDS and an IPS lies in their response to potential threats. Both systems can detect, log, and alert you about suspicious traffic. However, an IPS steps it up by trying to block this suspect traffic. Think of an IDS as your vigilant security camera and an IPS as an active security guard ready to intervene.

Even if you’re running a smaller operation, don’t think you can’t benefit from these tools. Next-generation firewalls (NGFWs) come with built-in IDS and IPS capabilities. They are fairly affordable and well suited to the needs of small- and medium-sized businesses. These NGFWs offer an all-in-one solution that’s not ...