What is IDS and IPS and how it works?


Limp Gawd
Jul 20, 2016
I recently came across these terms and it got my interest. Would be great if anyone can help me understand this service and suggest how I can use it for personal use?
If you are referring to computer security terms, an IDS is an Intrusion Detection System and an IPS is an Intrusion Prevention System.

IDS -- Usually a passive system that scans a system or traffic for fingerprints or anomalies and then alerts when it finds something potentially threatening. This method typically uses less resources and allows more flexibility for systems that cannot afford for something to shut them down (IE blocking some port or traffic when a threat comes through, or deleting files that may actually be needed).

IPS -- This is an active system that not only scans for threats, but will also attempt to mitigate them. When an IPS finds a threat it will attempt to block the traffic, quarantine data, or remove it completely. An IPS uses more resources because of its active nature. It also has the potential of mitigating good data from a false positive read, so its important to tune the IPS correctly so you don't lose important data.
Let's first define terms:

  • IDS - Intrusion Detection System
  • IPS - Intrusion Prevention System
Quite simply put, both solutions exist for purposes of security - think of two things when it comes to security; alert(s) and action(s).

An IDS is a detection system, it's purposes is to generate logs and reports and deliver them to the stakeholders (net admins, security admins, CTO/CISOs, etc.)

An IPS is a prevention system. Generally are inline network appliances, such as a firewall, that prevent breaches from occurring from outside the network (if it's a perimeter/edge firewall). They can also prevent breaches inside of a network if they are transparently inline between two network zones (or segments).

Historically, IDS and IPS were kind of separate implementations and architecture. But, in the modern day business and security landscape the line is blurred with more unified systems such as next-gen firewalls and advanced endpoint security software(s) becoming increasingly popular and businesses increasing their security budget. A good example of both an IPS and IDS on a computer/workstation would be an antivirus.

Geo-IP filtering on a firewall is an IPS mechanism

Snort is a very popular IPS mechanism.

Both solutions operate and function by utilizing a few different detection methods, such as signatures - where basically common attack methods are tagged with a signature within its IPS/IDS database to identify it. Think of a packet as if it were a red gas can with a label "GASOLINE" on it. GASOLINE being the signature, you know not to allow it near an open flame because it's explosive and dangerous. An IDS system would be me standing over your shoulder (you being the admin about to set the gas can down next to the campfire), and I said, "don't be dumb, it's explosive, yo... science and stuff."

Other methods are stateful inspections for protocols for detecting assymetric routing, or infected packets that have been injected, etc.

Wikipedia is actually a solid place to learn more and go from there:

Thank you for the explanation, clears a lot of things now. Just wanted to ask, is it useful and vailable for a common user cause the security via this service/tool seems exceptionally promising.