41

The differences between an IDS and a firewall are that the latter prevents malicious traffic, whereas the IDS:

  • Passive IDS: the IDS only reports that there was an intrusion.
  • Active IDS: the IDS also takes actions against the issue to fix it or at least lessen its impact.

However, what's the difference between an IPS and a Firewall? Both are a preventative technical control whose purpose is to guarantee that incoming network traffic is legitimate.

schroeder
  • 123,438
  • 55
  • 284
  • 319
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • 3
    Neither IDS, IPS, nor Firewall guarantee legitimate traffic. They inspect traffic and act according to rules. – schroeder Nov 06 '13 at 16:39

6 Answers6

53

The line is definitely blurring somewhat as technological capacity increases, platforms are integrated, and the threat landscape shifts. At their core we have

  • Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
  • Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
  • Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.

The functional difference between an IDS and an IPS is a fairly subtle one and is often nothing more than a configuration setting change. For example, in a Juniper IDP module, changing from Detection to Prevention is as easy as changing a drop-down selection from LOG to LOG/DROP. At a technical level it can sometimes require redesign of your monitoring architecture.

Given the similarity between all three systems there has been some convergence over time. The Juniper IDP module mentioned above, for example, is effectively an add-on component to a firewall. From a network flow and administrative perspective the firewall and IDP are functionally indistinguishable even if they are technically two separate devices.

There is also much market discussion of something called a Next Generation Firewall (NGFW). The concept is still new enough that each vendor has their own definition as to what constitutes a NGFW but for the most part all agree that it is a device that enforces policy unilaterally across more than just network packet header information. This can make a single device act as both a traditional Firewall and IPS. Occasionally additional information is gathered, such as from which user the traffic originated, allowing even more comprehensive policy enforcement.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
  • 1
    Alright, this answer the question. The **difference between an IPS and a firewall** is that, although both reject packets, the former inspects both header and payload whereas the latter only inspects the header. – The Illusive Man Nov 06 '13 at 15:23
  • 3
    @yzT: For traditional devices yes, but it's important to remember that things are starting to change. Also see Web Application Firewalls which specifically watch HTTP/HTTPS traffic and can even be adaptive to learn what normal web traffic looks like and reject the abnormal stuff. – Scott Pack Nov 06 '13 at 15:30
  • NGFW means policies that are tied to identities; of which users, hosts; and behaviors such as policy violations and maliciousness. It's all blurred together. It's whatever you can do given some combination of tapping traffic at choke points, sometimes with cooperation of hosts. – Rob May 08 '15 at 01:51
5

explanation for the dummies

  • firewall -> doorman; he keeps everyone out who tries to sneak in via open basement-windows etc, but once someone enters through the official door, he lets everybody in, esp. when the house-owner brings guests in; *a firewall never prevents malicious traffic *, it just allows or blocks traffic, based on port/ip

  • IDS (passive) / IPS (active): the guy who searches guests for weapons etc; while he cannot run around and prevent people from sneaking in, he's able to search what people are bringing in

  • IDS active vs passive: in active-mode -> kicks ass and is able to block for a certain ammount of time, in passive-mode -> just sends alerts

the only reason some would like to call an IPS different from active IDS is for marketing-purposes.

that guy from over there
  • 3,476
  • 17
  • 26
  • Actually, modifying traffic is a big design issue. You lose stealth when you mess with traffic. If you mess with traffic, you need to be careful to not break applications or introduce performance problems. – Rob May 08 '15 at 01:54
4

An active IDS is basically called an IPS.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Not really. As far as I know, an IPS always block whereas an active IDS might block, but might not as well. Other tasks of an active IDS could be redirect traffic to a monitored network, for example. – The Illusive Man Nov 05 '13 at 00:46
  • 5
    @yzT It's just semantics really. For all intents and purposes, they are the same thing. –  Nov 05 '13 at 00:48
2

A firewall will block traffic based on network information such as IP address, network port and network protocol. It will make some decisions based on the state of the network connection.

An IPS will inspect content of the request and be able to drop, alert, or potentially clean a malicious network request based on that content. The determination of what is malicious is based either on behavior analysis or through the use of signatures.

A good security strategy is to have them work togather as a team. Both the devices complement each other.

Rohit Gera
  • 21
  • 1
2

In addition to the existing answers, I am thinking about three additional differences:

  • A firewall (usually) sits at the network perimeter of the system, where as an IDS/IPS can not only work at the network level, but also work at the host level. Such IDS/IPS systems are called host-based IDS/IPS. They can monitor and take action against running processes, suspicious log-in attempts, etc. Examples include OSSEC and osquery. Perhaps anti-virus software can also be considered as a kind of IDS/IPS.

  • A firewall is probably easier to understand and to be deployed. It can also work on its own. But an IDS/IPS is more complex and probably needs to be integrated with other services. For example, the outcome of IDS will go into SIEM for correlation analysis, for human analysts, etc.

  • At least for "traditional" firewall, the core is a rule-based engine. But IDS/IPS might also use anomaly-based detection based methods to detect intrusion.

ZillGate
  • 354
  • 4
  • 11
2

The IDS is an Intrusion Detection System. An IPS is an Intrusion Prevention System.

The IDS only monitors traffic. The IDS contains a database of known attack signatures. And it compares the inbound traffic against to the database. If an attack is detected then the IDS reports the attack. But it is then up to the administrator to take action. The major flaw is that they produce a lot of false positives.

the IPS sits between your firewall and the rest of your network. Because of this it can stop the suspected traffic from getting to the rest of the network. The IPS monitors the inbound packets and what they are really being used for before deciding to let the packets into the network.

JGallardo
  • 121
  • 3