sign up log in tour help

_
Information Security Stack Exchange is Here's how it works:
a question and answer site for
information security professionals. Join
them; it only takes a minute:

Sign up Anybody can ask Anybody can The best answers are voted
a question answer up and rise to the top

Difference between IDS and IPS and Firewall

The differences between an IDS and a firewall are that the latter prevents malicious traffic, whereas the IDS:

Passive IDS: the IDS only reports that there was an intrusion.
Active IDS: the IDS also takes actions against the issue to fix it or at least lessen its impact.

However, what's the difference between an IPS and a Firewall? Both are a preventative technical control whose purpose is to guarantee that
incoming network traffic is legitimate.

firewalls ids

edited Nov 6 '13 at 16:37 asked Nov 4 '13 at 23:10

schroeder Ay0
39.6k 11 78 125 3,833 4 33 54

2 Neither IDS, IPS, nor Firewall guarantee legitimate traffic. They inspect traffic and act according to rules.
schroeder Nov 6 '13 at 16:39

6 Answers

The line is definitely blurring somewhat as technological capacity increases, platforms are
integrated, and the threat landscape shifts. At their core we have

Firewall - A device or application that analyzes packet headers and enforces policy based
on protocol type, source address, destination address, source port, and/or destination
port. Packets that do not match policy are rejected.
Intrusion Detection System - A device or application that analyzes whole packets, both
header and payload, looking for known events. When a known event is detected a log
message is generated detailing the event.
Intrusion Prevention System - A device or application that analyzes whole packets, both
header and payload, looking for known events. When a known event is detected the
packet is rejected.

The functional difference between an IDS and an IPS is a fairly subtle one and is often nothing
more than a configuration setting change. For example, in a Juniper IDP module, changing
from Detection to Prevention is as easy as changing a drop-down selection from LOG to
LOG/DROP. At a technical level it can sometimes require redesign of your monitoring
architecture.

Given the similarity between all three systems there has been some convergence over time.
The Juniper IDP module mentioned above, for example, is effectively an add-on component to
a firewall. From a network flow and administrative perspective the firewall and IDP are
functionally indistinguishable even if they are technically two separate devices.

There is also much market discussion of something called a Next Generation Firewall
(NGFW). The concept is still new enough that each vendor has their own definition as to what
constitutes a NGFW but for the most part all agree that it is a device that enforces policy
unilaterally across more than just network packet header information. This can make a single
device act as both a traditional Firewall and IPS. Occasionally additional information is
gathered, such as from which user the traffic originated, allowing even more comprehensive
policy enforcement.

answered Nov 6 '13 at 15:17

 Scott Pack
12.4k 4 47 87

Alright, this answer the question. The difference between an IPS and a firewall is that, although both reject
packets, the former inspects both header and payload whereas the latter only inspects the header. Ay0 Nov 6 '13
at 15:23

2 @yzT: For traditional devices yes, but it's important to remember that things are starting to change. Also see Web
Application Firewalls which specifically watch HTTP/HTTPS traffic and can even be adaptive to learn what normal
web traffic looks like and reject the abnormal stuff. Scott Pack Nov 6 '13 at 15:30

NGFW means policies that are tied to identities; of which users, hosts; and behaviors such as policy violations and
maliciousness. It's all blurred together. It's whatever you can do given some combination of tapping traffic at choke
points, sometimes with cooperation of hosts. Rob May 8 '15 at 1:51

An active IDS is basically called an IPS.

answered Nov 4 '13 at 23:31

Lucas Kauffman
44.6k 14 89 165

Not really. As far as I know, an IPS always block whereas an active IDS might block, but might not as well. Other
tasks of an active IDS could be redirect traffic to a monitored network, for example. Ay0 Nov 5 '13 at 0:46

5 @yzT It's just semantics really. For all intents and purposes, they are the same thing. Terry Chia Nov 5 '13 at 0:48

explanation for the dummies

firewall -> doorman; he keeps everyone out who tries to sneak in via open basement-
windows etc, but once someone enters through the official door, he lets everybody in, esp.
when the house-owner brings guests in; *a firewall never prevents malicious traffic *, it just
allows or blocks traffic, based on port/ip
IDS (passive) / IPS (active): the guy who searches guests for weapons etc; while he
cannot run around and prevent people from sneaking in, he's able to search what people
are bringing in
IDS active vs passive: in active-mode -> kicks ass and is able to block for a certain
ammount of time, in passive-mode -> just sends alerts

the only reason some would like to call an IPS different from active IDS is for marketing-
purposes.

answered Nov 5 '13 at 8:02

that guy from over there
2,917 10 24

Actually, modifying traffic is a big design issue. You lose stealth when you mess with traffic. If you mess with traffic,
you need to be careful to not break applications or introduce performance problems. Rob May 8 '15 at 1:54

The IDS is an Intrusion Detection System. An IPS is an Intrusion Prevention System.

The IDS only monitors traffic. The IDS contains a database of known attack signatures. And it
compares the inbound traffic against to the database. If an attack is detected then the IDS
reports the attack. But it is then up to the administrator to take action. The major flaw is that
they produce a lot of false positives.

the IPS sits between your firewall and the rest of your network. Because of this it can stop the
suspected traffic from getting to the rest of the network. The IPS monitors the inbound packets
and what they are really being used for before deciding to let the packets into the network.

answered Aug 24 '15 at 6:06

JGallardo
111 3

A firewall will block traffic based on network information such as IP address, network port and
network protocol. It will make some decisions based on the state of the network connection.

An IPS will inspect content of the request and be able to drop, alert, or potentially clean a
malicious network request based on that content. The determination of what is malicious is
based either on behavior analysis or through the use of signatures.

A good security strategy is to have them work togather as a team. Both the devices
complement each other.
 answered Dec 13 '15 at 3:14
Rohit Gera
11 1

In addition to the existing answers, I am thinking about three additional differences:

A firewall (usually) sits at the network perimeter of the system, where as an IDS/IPS can
not only work at the network level, but also work at the host level. Such IDS/IPS systems
are called host-based IDS/IPS. They can monitor and take action against running
processes, suspicious log-in attempts, etc. Examples include OSSEC and osquery.
Perhaps anti-virus software can also be considered as a kind of IDS/IPS.
A firewall is probably easier to understand and to be deployed. It can also work on its own.
But an IDS/IPS is more complex and probably needs to be integrated with other services.
For example, the outcome of IDS will go into SIEM for correlation analysis, for human
analysts, etc.
At least for "traditional" firewall, the core is a rule-based engine. But IDS/IPS might also
use anomaly-based detection based methods to detect intrusion.

edited Aug 8 '16 at 14:36 answered Aug 8 '16 at 14:30

ZillGate
236 1 10