Cisco IDS vs. IPS

calendar Mar 9, 2011 · 3 min read · CCNA Security Cisco cisco Cisco Systems computers Denial-of-service attack firewall Hardware Information Intrusion Detection System Intrusion Prevention System Network administrator networking router Security security Software software technology  ·
Share on: linkedin copy

There are tons of network attacks out there. Using a firewall helps but does look for signature based attacks. Access Control Lists are like firewalls and only look at the protocols like HTTP, FTP POP, etc. Cisco has developed some tools that will help network administrators combat the issue; IDS, (Intrusion Detection System) and IPS. (Intrusion Prevention System) Let's go into IDS first, Cisco IDS is a physical device and is like an alarm system it will alert you when an attack happens but that's it, the system won't block the connection. The IDS system is deployed in promiscuous mode meaning the sensor is placed where it can hear all the network traffic but is not in direct connect with the network making it an advantage when using an IDS:

  • No network impact, latency, or jitters etc.
  • No network impact if there is a sensor failure
  • No network impact if there is a sensor overloaded.

However the IDS does have some disadvantages compared to IPS

  • If packets trigger an alarm that's all it does is tell us that an attack is happening
  • Correct tuning is required for valid and invalid packets
  • The company must have a well thought-out security policy
  • Networks that are vulnerable must have evasion techniques

So what can IPS do that IDS can't? Well the IPS system can alert just like IDS but the IPS system can also block the attack. Remember that the IDS system can only alert. IPS works inline with the network it is a physical device just like IDS but is directly connected to the network. So what are the advantages to IPS compared to IDS?

  • Stops packets that trigger an alert
  • Can use stream normalization techniques (since the IPS sensor is inline with the traffic it can reduce many network attacks that exist.

Like the IDS the IPS does have disadvantage when compared to IDS:

  • Since the sensor is connected directly (inline) with the network it might affect network traffic.
  • If the sensor is overloaded that will also impact the network.
  • A company must have a thought-out security policy.
  • There can be some latency, jitter etc. with the network.

So why use IPS instead of IDS? Well IDS is an older technology and like mentioned before IDS only alerts you that an attack is happening, it logs the attack and that's it. Network attacks can happen fast and some of them only need a small amount of time to complete the attack. So once a network technician gets into the network equipment the attacker could be long gone and got what he/she needed. Sure you can now fix the problem but it might be little too late. IPS is able to load signature files this is like the definitions on your anti-virus software which it looks for patterns based on the attack. Which IPS can take that same style and block those attacks based on the security policies you implement, along with alerting you of what happened. That's my brief rundown of what these two technologies do  there is a lot more information you will be able to find on the web. But both have their places in the networking environment and it all depends on the money the company wants to spend to keep their networks secure. You can find more information at Cisco.com and or other places, I hope this information was informative.