IDS and IPS ?

Unanswered Question
Mar 21st, 2007

Hi

I am using before 4215 IDS in my network.

My question is what is basic difference IDS and IPS ?. why I am using IPS in place of IDS , what is the key point and benefit ?.

Thanks

biplob

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
edwakim Wed, 03/21/2007 - 23:42

Hi,

Here are the definitions from IPS 5.1 guide.

Understanding Promiscuous Mode (IDS)

In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic. The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack. While such response actions can prevent some classes of attacks, in atomic attacks the single packet has the chance of reaching the target system before the promiscuous-based sensor can apply an ACL modification on a managed device (such as a firewall, switch, or router).

Understanding Inline Interface Mode (IPS)

Operating in inline interface mode puts the IPS directly into the traffic flow and affects packet-forwarding rates making them slower by adding latency. This allows the sensor to stop attacks by dropping malicious traffic before it reaches the intended target, thus providing a protective service. Not only is the inline device processing information on layers 3 and 4, but it is also analyzing the contents and payload of the packets for more sophisticated embedded attacks (layers 3 to 7). This deeper analysis lets the system identify and stop and/or block attacks that would normally pass through a traditional firewall device.

In inline interface mode, a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair. The packet is sent to the second interface of the pair unless that packet is being denied or modified by a signature.

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df7d.html#wp1033759

Hope this helps.

Edward

iqbalkhan Thu, 03/22/2007 - 00:42

Hi Edward

Thanks to you clear the IDS and IPS.

but i have another question.

IN past when I configure IDS.

I have done for operation monitor port of IDS connect to Switch monitor port where data capture.and controlong port is connect another port.

but in IPS work in Inline so it has two monitoring port .

Now think i have network where

LAN--Firewal-Router

so if i add IPS then LAN-firewal-IPS-Router ?.

One intrface of IPS connect to IPS and Another connect to ROuter ?

pls clear this issue.

TradeSecrets Fri, 03/23/2007 - 13:19

Hi Biplob,

The basic difference is.

IDS - alerts you of breaches

IPS - Stops them

attmidsteam Sun, 03/25/2007 - 10:10

@ TradeSecrets

IDS -- Passive

IPS -- Active (read, more to go wrong)

Both can actually "mitigate" events, however neither can "Stop breaches"

Best of luck to you sir.

Actions

This Discussion