The Core Difference — Detection vs Prevention
The fundamental distinction between IDS and IPS is what they do when they identify a threat. An IDS (Intrusion Detection System) passively monitors network traffic or host activity, compares it against known threat signatures or behavioural baselines, and generates alerts when suspicious activity is detected. It does not interfere with traffic — it only observes and reports. A security analyst reviews the alerts and decides whether and how to respond.
An IPS (Intrusion Prevention System) sits inline with traffic — all traffic flows through it — and can actively drop packets, terminate connections, or modify traffic in real time when a threat is detected. The IPS doesn't wait for human review; it acts automatically based on configured policies. This makes IPS more effective at stopping attacks but introduces risk: a misconfigured IPS or a false positive can block legitimate traffic, causing outages.
IDS vs IPS — Key Differences
| Characteristic | IDS | IPS |
|---|---|---|
| Response to threats | Alerts / logs only | Blocks, drops, or modifies traffic |
| Network placement | Out-of-band (tap or mirror port) | Inline — all traffic passes through |
| Impact on traffic | None — passive monitoring | Adds latency; can block legitimate traffic |
| False positive risk | Low impact — generates alert only | High impact — blocks legitimate traffic |
| Response speed | Human review required | Automated real-time response |
| Failure mode | Fails open — traffic continues | Fail-open or fail-closed (configurable) |
| Primary use case | Forensics, compliance, visibility | Active threat prevention, blocking attacks |
Network-Based vs Host-Based
Both IDS and IPS come in two deployment variants that the exam tests separately:
NIDS/NIPS (Network-based) monitors traffic flowing across a network segment — either by connecting to a span/mirror port on a switch (NIDS) or by sitting inline between network segments (NIPS). Network-based systems provide visibility into all traffic traversing that network segment, regardless of which hosts are communicating. They're blind to encrypted traffic (unless combined with TLS inspection) and cannot see traffic that doesn't cross the monitored segment.
HIDS/HIPS (Host-based) runs as software on an individual endpoint — a server, workstation, or cloud instance. It monitors activity on that specific host: process execution, file system changes, registry modifications, system calls, and local network connections. Host-based systems can inspect encrypted traffic (because they see it before encryption and after decryption on the endpoint) and can detect attacks that originate from local processes. The trade-off is that they only protect the host they're installed on and consume endpoint resources.
A comprehensive security architecture uses both: NIDS/NIPS at network chokepoints (internet perimeter, between network zones, before critical servers) and HIDS/HIPS on critical endpoints (domain controllers, database servers, privileged workstations).
Detection Methods — Signature vs Anomaly vs Policy
Signature-based detection compares observed traffic or activity against a database of known attack signatures. If traffic matches a signature (a known SQL injection pattern, a specific malware command-and-control beacon, a recognisable exploit attempt), an alert is triggered or the traffic is blocked. Signature-based detection is highly accurate for known threats and generates few false positives — but it cannot detect novel (zero-day) attacks for which no signature exists yet. Signatures must be updated regularly to remain effective.
Anomaly-based detection (also called behaviour-based or heuristic detection) establishes a baseline of normal activity and alerts on deviations from that baseline. A user who normally downloads 10 MB of data per day suddenly transferring 10 GB would trigger an anomaly alert. This approach can detect zero-day attacks and insider threats that signature-based systems miss, but it generates significantly more false positives — normal behaviour changes (end of quarter data exports, system updates) can look like anomalies.
Policy-based detection evaluates traffic against administrator-defined rules — not signatures of known attacks, but explicit policies. "No SSH traffic should leave the network" is a policy — any SSH connection going outbound triggers a policy violation alert. Policy-based detection requires the administrator to define the rules explicitly, but generates very precise alerts for specific policy violations.
False positive: the IDS/IPS flags legitimate traffic as malicious — the attack didn't happen but the system said it did. Impact on IPS: blocks legitimate traffic, potential outage. False negative: the IDS/IPS misses a real attack — the attack happened but the system didn't detect it. False negatives with IDS = missed alerts, analyst doesn't know to investigate. False negatives with IPS = attack succeeds undetected. The scenario "which is more dangerous, a false positive or false negative?" has no universal answer — it depends on context. For an IPS protecting a critical system, false negatives are catastrophic. For an IPS on a production network, false positives can cause outages.
Where IDS and IPS Sit in the Network
Network placement determines what traffic each system sees. A common enterprise architecture: an NIPS at the internet perimeter, inline between the firewall and the DMZ, inspects all inbound and outbound internet traffic for known attack patterns. A NIDS on a span port of the core switch monitors internal east-west traffic for lateral movement and insider threats — it's out-of-band to avoid affecting production traffic. HIPS on servers (especially domain controllers and database servers) provides host-level protection and can detect attacks that arrive via encrypted channels or originate from internal networks.
The distinction between firewall and IPS is important for the exam. A firewall enforces access control based on rules (allow or deny traffic based on source/destination IP, port, protocol) — it doesn't analyse the content of traffic. An IPS performs deep packet inspection — it looks inside packets at the payload and application-layer content. A next-generation firewall (NGFW) combines both functions.
Fail-Open vs Fail-Closed
When an inline IPS device fails (hardware failure, software crash, power loss), it must decide what to do with the traffic it can no longer inspect. Fail-open means the device passes all traffic uninspected — network connectivity is maintained but threat detection stops. Fail-closed means the device drops all traffic — the network goes down but no uninspected traffic passes.
The right choice depends on context. A hospital network might choose fail-open to maintain life-critical network connectivity even at the cost of security. A financial institution with extreme security requirements might choose fail-closed to ensure no uninspected traffic reaches its core systems. On the exam, "fail-open prioritises availability" and "fail-closed prioritises security" is the framework for choosing between them in scenarios.