Difference between IDS and IPS and Firewall

  • The differences between an IDS and a firewall are that the latter prevents malicious traffic, whereas the IDS:

    • Passive IDS: the IDS only reports that there was an intrusion.
    • Active IDS: the IDS also takes actions against the issue to fix it or at least lessen its impact.

    However, what's the difference between an IPS and a Firewall? Both are a preventative technical control whose purpose is to guarantee that incoming network traffic is legitimate.

    Neither IDS, IPS, nor Firewall guarantee legitimate traffic. They inspect traffic and act according to rules.

  • Scott Pack

    Scott Pack Correct answer

    7 years ago

    The line is definitely blurring somewhat as technological capacity increases, platforms are integrated, and the threat landscape shifts. At their core we have

    • Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
    • Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
    • Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.

    The functional difference between an IDS and an IPS is a fairly subtle one and is often nothing more than a configuration setting change. For example, in a Juniper IDP module, changing from Detection to Prevention is as easy as changing a drop-down selection from LOG to LOG/DROP. At a technical level it can sometimes require redesign of your monitoring architecture.

    Given the similarity between all three systems there has been some convergence over time. The Juniper IDP module mentioned above, for example, is effectively an add-on component to a firewall. From a network flow and administrative perspective the firewall and IDP are functionally indistinguishable even if they are technically two separate devices.

    There is also much market discussion of something called a Next Generation Firewall (NGFW). The concept is still new enough that each vendor has their own definition as to what constitutes a NGFW but for the most part all agree that it is a device that enforces policy unilaterally across more than just network packet header information. This can make a single device act as both a traditional Firewall and IPS. Occasionally additional information is gathered, such as from which user the traffic originated, allowing even more comprehensive policy enforcement.

    Alright, this answer the question. The **difference between an IPS and a firewall** is that, although both reject packets, the former inspects both header and payload whereas the latter only inspects the header.

    @yzT: For traditional devices yes, but it's important to remember that things are starting to change. Also see Web Application Firewalls which specifically watch HTTP/HTTPS traffic and can even be adaptive to learn what normal web traffic looks like and reject the abnormal stuff.

    NGFW means policies that are tied to identities; of which users, hosts; and behaviors such as policy violations and maliciousness. It's all blurred together. It's whatever you can do given some combination of tapping traffic at choke points, sometimes with cooperation of hosts.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM