Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


Can you please tell me some problems IPs/IDS can slove that Firewal cant




Firewall will not subtitute IDS/IPS, and vice-versa. They complement each other. Some problems can be solved by Firewall, some by IDS/IPS. Combining these two gives you better network protection.

I think these are among problems that IDS/IPS can offer that normal Firewall don't:

1. IPS/IDS able to detect deep into the traffic content (up to Layer 7). This includes spyware, malware, malicious cripts, viruses/worms/trojans. Normal Firewall only limited to control source/destination address and tcp/udp service ports.

2. IPS/IDS can be customized to detect certain/sensitive keywords (based on user requirement) like condential, secret, P&C, etc in data packet. This allow organization to control info from being sent out by insider for whatever reason like business espionage and so on.



Answer is herehttps:/

Answer is here

A firewall is simply just a

A firewall is simply just a set of filters/rules that are matched against traffic. It can only detect malicious traffic trying to enter a computer system but can not detect anything which has entered the system. A firewall is considered a first line of defense in protecting private information. For greater security IDS and IPS systems should be used along with the firewall.

An IDS (Intrusion Detection System) is passive meaning it basically sits watching packets go through the network. It has a set of rules which it matches the packets against and sets off an alarm if it detects anything suspicious, usually the administrator is alerted. An IDS can detect several types of malicious traffic that would slip by a typical firewall, including network attacks against services, data-driven attacks on applications, host-based attacks like unauthorized logins, and malware like viruses, Trojan horses, and worms. Most IDS products use several methods to detect threats, usually signature-based detection, anomaly-based detection, and stateful protocol analysis.

The main problem with IDS is the number of false positives the technology is prone to spitting out – some legitimate traffic is inevitable tagged as bad. The trick is tuning the device to maximize its accuracy in recognizing true threats while minimizing the number of false positives; these devices should be regularly tuned as new threats are discovered and the network structure is altered. As the technology has matured in the last several years, it has gotten better at weeding out false positives. However, completely eliminating them while still maintaining strict controls is next to impossible – even for IPS, which some consider the next step in the evolution of IDS.

An IPS (Intrusion Prevention System) has all the features of a good IDS, but can also stop malicious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flows on a network, actively shutting down attempted attacks as they’re sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to the target from the user account, IP address, or other attribute associated with that attacker, or by blocking all access to the targeted host, service, or application.

Cisco Employee

Firewall - A device or

  • Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
  • Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
  • Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.
CreatePlease login to create content