IPS and IDS: Role and Function

Like many things in the rapidly changing world of IT security, the roles of these systems are not as distinct as they once were. Both types of security monitoring solutions look for intrusions and violations of network policy, in order to protect an organization from being compromised. Traditionally, however, they were designed to be deployed in different parts of the network and focus on different goals.

IPS Function

The Intrusion Prevention System (IPS) was designed to be deployed inline on the network, close to the perimeter, and complement the work of the network firewall. While the firewall works to positively identify traffic that is allowed to move on towards the internal network, the IPS looks for dangerous incoming packets or traffic that violate specific rules or network policies. Once suspicious traffic is identified, the IPS takes action by automatically blocking the traffic, logging the attack, and adding the source IP address to the block list for a period of time. IPS systems can also identify port scans that hackers use to find a vulnerability in a particular network.

As an inline device, the IPS must perform its inspection work quickly to avoid degrading network performance and to stop potential attacks in real-time. The IPS must also detect and respond accurately, to eliminate false positives or alerts that must be followed up by security staff.

IDS Function

The Intrusion Detection System (IDS) is the older of the two systems and is used offline, or out-of-band, to identify and log violations and send an alert to an administrator, or report the violation to a central repository called a ‘security information and event management (SIEM) system.’ A SIEM system can centrally combine alerts from multiple tools or sources to better distinguish malicious activity from false alarms. The traffic that is sent to an IDS is a copy of live traffic, generated by a SPAN port or network tap, and is not routed back into the trusted network. This is sometimes referred to as passive monitoring, since no automatic action is taken. Because it does not operate on live traffic and have the constraint of having to perform at line speed, an IDS can be used to perform more complex analyses and investigations.

While the focus of the firewall and IPS are on packets or traffic incoming to the organization, some IDS devices also designed to look for attacks that originate within the internal network. For this reason, an IDS can be deployed at any strategic point in the network.

Some IDS systems can be configured to take a pre-defined proactive action in response to a threat. One example would be to modify the rules of a firewall to block unwanted traffic from a particular IP address. This is known as a reactive IDS. It is not strictly a passive device, but it remains deployed out-of-band. This is one of the areas in which the difference between an IPS and an IDS narrows.

Identification Techniques

The providers of IPS and IDS systems continually develop new ways to identify threats and circumvent security breaches. Initially, these systems relied on signature-based identification, in which past attacks were analyzed to come up with identifying characteristics (or signatures) that the appliances then search for. The limitation, of course, is that new attacks need to be successfully identified and characterized before they can be added to the search criteria. Statistical anomaly-based techniques were then added so the systems could produce alerts based on traffic that was deemed out of the ordinary. This helps to flag what could be new attacks, but also requires a fair amount of system tuning to limit the number of false positives. Many IPS and IDS systems combine signature and anomaly-based detection.

More recently, rule-based techniques are being used to go beyond simple packet inspection and make more sophisticated predictions based on multiple events taking place on the network. The idea is that if Event A and Event B both take place, neither of them necessarily suspicious on their own, but are then followed by Event C, then it can be presumed an attack is underway. This capability is sometimes referred to as an “inference engine” and can help preempt attacks.

Best Practices for Supporting Security Devices

Whether your organization deploys and IPS, IDS, or both, there are ways to help your security systems be more effective and efficient.


To maintain a strong security posture, many organizations use both IPS and IDS systems to monitor network traffic. Keep in mind that many attacks are designed to take advantage of known holes in security software or delays in completing system updates. For this reason, it is important to keep security systems operating at full strength using the latest releases.