IDS vs. IPS

- I've got a little network right here. So this yellow box is gonna be my switch, and these individual little cylinders are gonna be my hosts. And this guy right here is my connection to the internet. So he's just gonna be at this moment, well, just a router. Now, when we look at this network, it's really, really, important to us that, well, we don't let naughty things happen to our network. So within the internet world, the first line of defense is going to be a firewall.

Now the firewall's main job is to prevent naughty things from the outside world coming into our network. So traditionally a firewall is going to be right here. So that's why so many routers also have built-in firewall features. Now, a router doesn't have to have that. If we wanted to, we could go out and buy a specialized firewall device. And now we can have our router and then our firewall as its own separate device. Barracuda, Pinnacle, a lot of people will sell you a box like this.

And this thing is being updated, so it's always aware of evil things that are out there. And so this is not an uncommon setup. So we've got some kind of router, we've got some kind of firewall, and then we have our network itself. Now, firewalls are great and we certainly discuss firewalls in other episodes, but we have another problem here and that is that firewalls are imperfect. So if I have an imperfect firewall, I need to have something inside the network that's watching for naughtiness to happen.

And that's where intrusion detection systems come into play. An intrusion detection system can just be a computer with specialized IDS software or it could be a a specialized device, but, by nature, intrusion detection tends to be on the inside of a network. So here I'll just plug him into my switch. And his job is to watch for naughty things on the network itself. If he detects something on the network, it's the IDS's job to let somebody know. In the early generations of IDS, this would be done with they would send an email to somebody or hit their pager.

Yeah, they are that old. Today you'll get a text message or something like that. So, again, it doesn't matter to me. This could be a specialized device, or it could be a Windows machine running specialized IDS software. Now this is the first generation of intrusion detection. Now over time, we began to get intrusion detection that became what we called active. So this box would say, "Oh I notice that there's a well known "attack coming in here." And what he could do would be to talk to the firewall itself and say, "Hey, firewall.

"Shut off a port." Or, "Stop a particular application." Or, "Do something to stop this attack." And we called that, and I am using the past tense, active IDS. Active IDS is really what we call intrusion prevention now, or IPS. An IPS system does the same thing as an IDS. It's looking on the inside of the network for naughtiness, but it does something to stop it. Now, if I have a device way over here, it has a hard time stopping things cause it's not actually in line.

So what we usually see with IPS is something like this. This is getting long (laughs). Now, again, we can have routers that have IPS built into them, we can have firewalls with IPS built into them, but you can actually still buy IPS boxes whose only job is to provide IPS features. Now, assuming we have something like this, this box right here tends to be in line and it is certainly monitoring the internal network, but if it catches something in here, it's going to do something here to stop it and that's the big thing you need to be aware of when it comes to IDS versus IPS on the Network+.

Oh, and by the way, make sure that you can handle any question that defines the difference between a firewall versus an IDS versus an IPS.