Introduction and difference between Security Firewall Vs IPS - Intrusion Prevention System Vs IDS - Intrusion Detection System

Today I am going to talk about the basics of the security terminology which include the basic information and the difference of Firewall, IPS- Intrusion Prevention systems and IDS- Intrusion Detection system.

Network Security Firewall
As most of you already know about the Firewall whose main purpose is to prevent or allows traffic between interfaces based on configured rules which it is a stateful firewall. Stateful Firewall works on the set of rules defined on the basics of source and destination.

Firewalls often have a network address translation function to isolate private network addresses from public ones. May inspect traffic for conformance with proper protocol behavior and drop non-compliant traffic.

There are lot of vendors in this space named as PaloAlto Networks, Cisco Systems, Checkpoint, Fortinet and many more.

Firewalls often have an optional IDS/IPS component based on their usually being placed at the optimal network location to see all interesting traffic that should be subject to further inspection and analysis as is done by IDS/IPS.

Fig 1.1- Firewall+IPS and IDS

IPS - Intrusion Prevention System
Intrusion Prevention System (IPS) is a network threat prevention technology that inspects network traffic streams to identify and avoid vulnerability exploits. Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine.

Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state), or can potentially access to all the rights and permissions available to the compromised application.

The IPS played an important role and placed behind the firewall which delivers a supportive layer of analysis after done by firewall in the network. Unlike its predecessor the Intrusion Detection System (IDS)—which is a passive system that scans traffic and reports back on threats—the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network.

In other words, we can say that a device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.

IDS - Intrusion Detection System
IDS - Intrusion Detection System is a device or application that analyses whole packets, both header and payload, looking for known events. When a known event is detected a log message is generated detailing the event.

IDS not prevent the attack from reaching the different assets (although there are some options to configure it to send RST packets on some platforms).

It does NOT receives the real traffic from client to server or server to client, it basically receives a copy from the network device attached to it (PC, SPAN session, TAP, Packet etc.). I will not talk about the different types of the IDS used in the network scenario.