Difference between IDS and IPS and Firewall

The line is definitely blurring somewhat as technological capacity increases, platforms are integrated, and the threat landscape shifts. At their core we have

  • Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
  • Intrusion Detection System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.
  • Intrusion Prevention System - A device or application that analyzes whole packets, both header and payload, looking for known events. When a known event is detected the packet is rejected.

The functional difference between an IDS and an IPS is a fairly subtle one and is often nothing more than a configuration setting change. For example, in a Juniper IDP module, changing from Detection to Prevention is as easy as changing a drop-down selection from LOG to LOG/DROP. At a technical level it can sometimes require redesign of your monitoring architecture.

Given the similarity between all three systems there has been some convergence over time. The Juniper IDP module mentioned above, for example, is effectively an add-on component to a firewall. From a network flow and administrative perspective the firewall and IDP are functionally indistinguishable even if they are technically two separate devices.

There is also much market discussion of something called a Next Generation Firewall (NGFW). The concept is still new enough that each vendor has their own definition as to what constitutes a NGFW but for the most part all agree that it is a device that enforces policy unilaterally across more than just network packet header information. This can make a single device act as both a traditional Firewall and IPS. Occasionally additional information is gathered, such as from which user the traffic originated, allowing even more comprehensive policy enforcement.


explanation for the dummies

  • firewall -> doorman; he keeps everyone out who tries to sneak in via open basement-windows etc, but once someone enters through the official door, he lets everybody in, esp. when the house-owner brings guests in; *a firewall never prevents malicious traffic *, it just allows or blocks traffic, based on port/ip

  • IDS (passive) / IPS (active): the guy who searches guests for weapons etc; while he cannot run around and prevent people from sneaking in, he's able to search what people are bringing in

  • IDS active vs passive: in active-mode -> kicks ass and is able to block for a certain ammount of time, in passive-mode -> just sends alerts

the only reason some would like to call an IPS different from active IDS is for marketing-purposes.


An active IDS is basically called an IPS.

Tags:

Firewalls

Ids

Recent Posts