IDS and IPS ?

Unanswered Question
Mar 21st, 2007
User Badges:


I am using before 4215 IDS in my network.

My question is what is basic difference IDS and IPS ?. why I am using IPS in place of IDS , what is the key point and benefit ?.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
edwakim Wed, 03/21/2007 - 23:42
User Badges:
  • Cisco Employee,


Here are the definitions from IPS 5.1 guide.

Understanding Promiscuous Mode (IDS)

In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router).

Understanding Inline Interface Mode (IPS)

Operating in inline interface mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device.

In inline interface mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.

Hope this helps.


iqbalkhan Thu, 03/22/2007 - 00:42
User Badges:

Hi Edward

Thanks to you clear the IDS and IPS.

but i have another question.

IN past when I configure IDS.

I have done for operation monitor port of IDS connect to Switch monitor port where data capture.and controlong port is connect another port.

but in IPS work in Inline so it has two monitoring port .

Now think i have network where


so if i add IPS then LAN-firewal-IPS-Router ?.

One intrface of IPS connect to IPS and Another connect to ROuter ?

pls clear this issue.

TradeSecrets Fri, 03/23/2007 - 13:19
User Badges:
  • Bronze, 100 points or more

Hi Biplob,

The basic difference is.

IDS - alerts you of breaches

IPS - Stops them

attmidsteam Sun, 03/25/2007 - 10:10
User Badges:
  • Silver, 250 points or more

@ TradeSecrets

IDS -- Passive

IPS -- Active (read, more to go wrong)

Both can actually "mitigate" events, however neither can "Stop breaches"

Best of luck to you sir.


This Discussion