2

It is my understanding that tap mode IPS, unlike in-line mode, is passive and cannot prevent attacks.

In that case, what is the difference between an IDS and a tap mode IPS? I've checked out several links such as this, but can't pin point the exact differences.

Community
  • 1
George
  • 739
  • 1
  • 6
  • 22
  • I would also add that there are "active" taps that can in fact be used to block or redirect traffic at the tap. https://www.gigamon.com/products/g-tap-a-series – coffeethulhu Apr 07 '16 at 13:56
  • The gigamon.com link doesn't appear relevant to IDS/IPS. Inline IPS describes a physical network where the IPS physically bridges a network connection, and therefore it is physically impossible for packets to bypass the device. Port mirroring and network taps only provide 'copies' of the information travelling the network. The device has no physical ability to prevent the original packets from reaching their destination, although it is possible for an IPS to 'trick' the destination to drop TCP connections by injecting spoofed packets, but this is a race condition (unreliable). – Jeff K Feb 24 '17 at 18:13

1 Answers1

1

IDS, IPS, and Firewall are just names describing the capabilities and purpose and are not technical descriptions. The differences are often murky and how a device is called is also affected by marketing.

Classical passive IDS like snort can be used inline too to prevent attacks and thus magically get an IPS. And IPS which are just used to watch but not block the traffic are thus reduced to detection and this way are in effect in IDS. You might still want to continue to call it IPS because it has in theory the possibility to block the traffic and this is only due to your usage that it is unable to use this capability.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • An IPS is simply an IDS with the capability to actively respond instead of simply report. Turning off that capability or blocking it with network configuration doesn't change that the capability exists. Whether that capability is valuable to an organization, or whether the term is misused by marketing doesn't change its meaning. – Jeff K Feb 24 '17 at 18:18
  • @JeffK: so is Snort an IDS or an IDS? Even their web site call it an IDS (or better, NIDS) although it has the capability to run inline and block actively respond to traffic. And for Suricata they explicitly say on the [homepage](https://suricata-ids.org/): *"capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), ...*". – Steffen Ullrich Feb 24 '17 at 18:35
  • IPS is a subset of IDS. Both are correct, but IPS is more specific. – Jeff K Feb 24 '17 at 18:37