Chapter 19. IDS and IPS

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) provide insight into potential security events by observing activity on a network, as opposed to examining activity locally on a host as an antivirus would, for example.

By not relying on end devices and monitoring network traffic, you are able to remove the problem that a potentially compromised host is the one performing the checks, removing confidence in the integrity of the detection and alerting mechanisms. 

The use of IDS and IPS also overcomes the issue that alerts may be something that is not deemed a security issue by endpoint security tools. For example, the use of legitimate file sharing technologies would most likely not be flagged by antivirus as unusual; however, if this was your financial database server, this sort of connection would certainly be worthy of investigation.

IDS and IPS are very similar technologies, with one key difference: an IDS will detect, log, and alert on traffic it deems worthy of attention, whereas an IPS will, in addition, attempt to block this traffic.

Types of IDS and IPS

IDS and IPS are terms that are sometimes used interchangeably. NIDS is often missed entirely and misclassified as some kind of antivirus, or grouped under the more general banner of IDS. Before we do anything else, let’s define what IDS, IPS, and NIDS actually are.

Network-Based IDS

Network-based IDS systems, or NIDS, typically use a network card in promiscuous mode to sniff ...

Get Defensive Security Handbook now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.