This chapter covers the critical distinction between Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), their deployment modes, and how they secure modern networks. For the N10-009 exam, understanding the differences in placement, traffic inspection, and response actions is essential, as questions on this topic appear frequently in the Network Security domain (Objective 4.3). Expect 5-8% of exam questions to test your ability to choose the correct system type for a given scenario, identify deployment modes (inline, passive, tap, SPAN), and understand the implications of each approach on network performance and security.
Jump to a section
An Intrusion Detection System (IDS) is like an airport security camera system. Cameras record all activity in terminals, and security personnel review footage after an incident to identify suspicious behavior. They can see what happened but cannot stop it in real time. In contrast, an Intrusion Prevention System (IPS) is like the TSA checkpoint at the gate. Every passenger must pass through a metal detector and bag scanner before boarding. If a prohibited item is detected, the system physically blocks the passenger from proceeding—the threat is prevented before it reaches the aircraft. The checkpoint operates inline: all passengers must pass through it, and it can drop the threat (confiscate the item) or alert authorities. The camera system operates out-of-band: it copies the video feed for analysis but does not sit in the boarding path. Both use signature databases (like watchlists) and anomaly detection (behavioral analysis) to identify threats, but only the inline checkpoint can actively stop them. In networking, an IDS receives a copy of traffic via a SPAN port or network tap, analyzes it, and logs alerts; an IPS sits directly in the traffic path, inspects every packet, and can drop or block malicious traffic in real time. The trade-off is latency: the IPS adds processing delay, while the IDS does not affect throughput.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are security technologies designed to monitor network traffic for malicious activity or policy violations. The fundamental difference lies in their response: an IDS is a passive monitoring system that generates alerts when suspicious activity is detected, while an IPS is an active inline system that can take immediate action to block or prevent the detected threat. Both systems use a combination of signature-based detection (matching traffic patterns against known attack signatures), anomaly-based detection (comparing traffic against a baseline of normal behavior), and stateful protocol analysis (understanding protocol states to detect deviations).
On the N10-009 exam, you must know that IDS and IPS are not interchangeable—they address different security requirements. An IDS is suitable for environments where traffic cannot be interrupted (e.g., critical infrastructure with strict uptime requirements) or where monitoring and forensics are the primary goals. An IPS is used where active threat prevention is required, such as at network perimeters or between security zones. The exam also tests the deployment modes: passive (for IDS) vs. inline (for IPS), and the methods used to connect them to the network (network tap vs. SPAN port).
How IDS and IPS Work Internally
Both IDS and IPS perform deep packet inspection (DPI) up to Layer 7 of the OSI model. The process involves:
1. Traffic Acquisition: The system receives traffic either by copying packets (passive) or by intercepting them directly (inline). 2. Packet Decoding: The system reassembles packets into streams, decodes protocol headers, and normalizes traffic (e.g., defragmentation, TCP stream reassembly). 3. Detection Engine: The normalized traffic is compared against: - Signature Database: Predefined patterns of known attacks (e.g., Snort rules, Suricata rules). Signatures can be simple (e.g., a specific byte sequence) or complex (e.g., stateful signatures that track session state). - Anomaly Detection Models: Statistical baselines of normal traffic (e.g., average packet size, protocol distribution, connection rates). Deviations trigger alerts. - Protocol Anomaly Detection: Checks for protocol specification violations (e.g., malformed packets, illegal flags). 4. Decision and Action: For IDS, the only action is to log the event and generate an alert (e.g., syslog, email, SNMP trap). For IPS, the system can:
- Drop the packet/connection - Reset the TCP connection (send RST) - Block the source IP temporarily or permanently - Modify the packet (e.g., replace malicious content) - Shun the attacker (add a firewall rule to block all traffic from that IP)
Key Components, Values, Defaults, and Timers
- Signature Updates: Typically updated daily or weekly. Default signature sets include emerging threats (e.g., Emerging Threats rules for Snort/Suricata).
- Detection Thresholds: Anomaly detection uses thresholds like connection rate (e.g., >100 SYN packets per second from a single IP triggers a SYN flood alert).
- Response Actions: Common IPS actions include:
- drop: Silently discard the packet.
- reject: Send a TCP RST or ICMP unreachable.
- alert: Log and continue (IDS mode).
- False Positive Rate: Acceptable false positive rate is typically <1% for production IPS to avoid blocking legitimate traffic.
- Latency Added: Inline IPS adds 50-500 microseconds per packet depending on rule complexity and hardware acceleration.
Configuration and Verification Commands
For Cisco IOS-based IPS (e.g., Cisco Firepower), configuration involves:
! Enable IPS
ip ips name MYIPS
! Apply to interface in inline mode
interface GigabitEthernet0/0
ip ips MYIPS in
! Configure signature definition
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
! Verify
show ip ips configuration
show ip ips statistics
show ip ips signatures countFor open-source Snort/Suricata:
# Snort IDS mode (passive)
snort -c /etc/snort/snort.conf -i eth0 -A console
# Snort IPS mode (inline using NFQUEUE)
snort -c /etc/snort/snort.conf -Q --daq nfq -i eth0:eth1 -A console
# Suricata inline (AF_PACKET inline mode)
suricata -c /etc/suricata/suricata.yaml --af-packet=eth0:eth1Verification commands:
# Check Snort alerts
cat /var/log/snort/alert
# Check Suricata stats
suricata --dump-statsInteraction with Related Technologies
Firewalls: IPS often complements firewalls. Firewalls filter based on Layer 3-4 (IP/port), while IPS inspects Layers 5-7. A next-generation firewall (NGFW) integrates IPS functionality.
SIEM: IDS/IPS logs are sent to Security Information and Event Management (SIEM) systems for correlation and long-term storage.
Network Taps vs. SPAN Ports: IDS can connect to a SPAN port (mirror port on a switch) or a network tap. Taps provide a true copy of traffic without affecting the original path, while SPAN ports can drop packets under load. IPS must be inline, typically placed between two network segments.
Load Balancers: In high-availability deployments, IPS can be deployed in a failover pair with state synchronization to maintain session state during failover.
Deployment Modes: Inline vs. Passive
Inline (IPS): The device is physically in the traffic path. All traffic must pass through it. This allows the device to drop malicious packets in real time. However, it introduces a point of failure—if the IPS fails, traffic stops. Redundancy is achieved through failover pairs or bypass switches.
Passive (IDS): The device receives a copy of traffic via SPAN or tap. It cannot block traffic but can send alerts. It does not affect network performance and is not a single point of failure. However, it cannot prevent attacks in real time.
Placement Considerations
Network Perimeter: IPS is typically placed behind the firewall to inspect traffic that has already passed basic filtering. IDS can be placed outside the firewall to monitor inbound attacks.
Internal Segments: IDS/IPS can be placed between VLANs or in data centers to monitor east-west traffic. Inline IPS can enforce micro-segmentation policies.
Cloud Environments: Virtual IPS/IDS instances can be deployed in cloud VPCs (e.g., AWS Network Firewall, Azure Firewall Premium) using virtual inline or passive modes.
Performance and Scalability
Throughput: Modern IPS appliances handle 1-100 Gbps. Software-based solutions (e.g., Snort) on commodity hardware typically handle 1-10 Gbps.
Rule Count: Performance degrades as rule count increases. Optimizing rules (e.g., using fast pattern matching) is critical.
Hardware Acceleration: Many IPS appliances use ASICs or FPGAs for pattern matching to maintain line-rate inspection.
Exam-Relevant Details
N10-009 Objective 4.3: Compare and contrast IDS and IPS. Key points:
IDS = passive, alert only, out-of-band, no latency impact, cannot stop attacks.
IPS = inline, can block/alert, in-band, adds latency, can stop attacks.
Both use signatures and anomaly detection.
Deployment: IDS uses SPAN/tap; IPS uses inline.
False positives: Both can produce false positives, but IPS false positives can block legitimate traffic.
Evasion techniques: Attackers may fragment packets, use encryption, or use slow scans to evade detection. Both systems must handle these.
Common Exam Scenarios:
Scenario: "A company needs to detect attacks without impacting traffic flow." Answer: Deploy IDS.
Scenario: "A company needs to automatically block SQL injection attacks." Answer: Deploy IPS.
Scenario: "A network engineer needs to monitor traffic for forensic analysis." Answer: Use IDS with a network tap.
- Trap Answers: - "IDS can block traffic" — False. IDS is passive. - "IPS only logs alerts" — False. IPS can block. - "Both IDS and IPS must be inline" — False. IDS is passive. - "SPAN port is preferred for IPS" — False. IPS needs inline placement; SPAN is for IDS.
Traffic Acquisition via Tap/SPAN
For an IDS, traffic is acquired by configuring a SPAN (Switched Port Analyzer) port on a switch or by inserting a network tap. A SPAN port copies traffic from one or more source ports to the destination port where the IDS is connected. However, under high load, the SPAN port may drop packets if the aggregated traffic exceeds the destination port's capacity. A network tap is a dedicated hardware device that splits the signal, sending the original traffic to its destination and a copy to the IDS. Taps are preferred for critical deployments because they do not drop packets and do not introduce latency on the production link. For an IPS, traffic acquisition is direct: the IPS is inserted inline between two network devices (e.g., between a router and a switch), so all traffic passes through it physically or logically (e.g., via a virtual wire).
Packet Decoding and Normalization
Once traffic is acquired, the IDS/IPS decodes each packet from the raw data link layer up to the application layer. This involves parsing Ethernet headers, IP headers, TCP/UDP headers, and application protocol headers (HTTP, DNS, SMTP, etc.). The system must also handle fragmentation (IP defragmentation) and TCP stream reassembly to reconstruct the full session. Normalization is critical to prevent evasion techniques; for example, if an attacker sends overlapping IP fragments, the system must reassemble them in the same order as the target host. The system may also normalize HTTP requests (e.g., URL decoding, directory traversal removal) to match signatures accurately. This step is computationally intensive and often uses hardware acceleration.
Detection Engine Analysis
The normalized traffic is passed to the detection engine, which applies a set of rules (signatures) and anomaly models. Signature-based detection uses pattern matching: each rule specifies a pattern (e.g., a byte sequence in the payload, a specific combination of flags) and an action. For example, a signature for a SQL injection attack might look for the string ' OR '1'='1 in the HTTP URI. Anomaly-based detection compares traffic to a baseline; for instance, if a host suddenly sends 1000 DNS queries per second (baseline is 10), it may be a DNS amplification attack. The engine also uses protocol decoders to detect malformed packets (e.g., a TCP packet with SYN and FIN flags set). Rules have priorities; higher priority rules are checked first. To optimize performance, rules are compiled into a deterministic finite automaton (DFA) for fast matching.
Decision and Response Execution
Based on the analysis, the system decides whether the traffic is malicious. For an IDS, the only response is to generate an alert—typically writing to a log file (e.g., /var/log/snort/alert) and sending a notification via syslog, SNMP trap, or email. The IDS may also log the full packet capture for forensic analysis. For an IPS, the response can include dropping the packet (silently discarding it), resetting the connection (sending a TCP RST to both endpoints), blocking the source IP (dynamically adding a firewall rule), or even rate-limiting traffic. The IPS can also modify the packet (e.g., replace malicious content with benign data) in some advanced implementations. The response time is critical: the IPS must make the decision within microseconds to avoid impacting throughput. The system may also maintain a state table to track blocked sources and session states.
Logging and Alerting (Post-Processing)
After the immediate response, both IDS and IPS log the event with metadata: timestamp, source/destination IP, protocol, signature ID, priority, and action taken. These logs are sent to a centralized logging server or SIEM for correlation with other security events. Alerts can be categorized by severity (e.g., high, medium, low) to prioritize response. The system may also generate a summary report periodically. For IPS, logging includes the action taken (e.g., drop, alert), which is crucial for tuning and troubleshooting false positives. The logs must be stored securely to prevent tampering. Retention policies vary, but typically logs are kept for 30-90 days for compliance. The system should also provide a mechanism to update signatures and rules without restarting the entire engine.
Enterprise Scenario 1: Perimeter Protection for a Financial Institution
A bank deploys an inline IPS (e.g., Cisco Firepower 4100) at the internet edge, behind the firewall. The IPS inspects all inbound and outbound traffic. The challenge is balancing security with low latency for online banking transactions. The IPS is configured with a customized rule set: critical signatures (e.g., for SQL injection, cross-site scripting) are set to 'drop', while less critical alerts (e.g., port scans) are set to 'alert' to avoid false positives blocking legitimate traffic. The IPS also uses anomaly detection to flag unusual outbound data transfers (potential data exfiltration). The deployment uses a bypass switch: if the IPS fails, traffic automatically bypasses it to maintain connectivity. The IPS processes 10 Gbps of traffic with an average latency of 200 microseconds. Logs are sent to a SIEM (Splunk) for real-time alerting and compliance reporting. A common issue is false positives during software updates; the team must tune signatures by whitelisting legitimate update servers.
Enterprise Scenario 2: Internal Network Monitoring with IDS
A large university uses a passive IDS (e.g., Suricata) to monitor internal traffic between academic departments. The IDS is connected to SPAN ports on core switches, capturing traffic from multiple VLANs. The goal is to detect insider threats and policy violations (e.g., peer-to-peer file sharing). Because the IDS is passive, it does not impact network performance. The IDS generates alerts that are reviewed daily by the security team. The main problem is the SPAN port dropping packets during peak usage (e.g., start of semester); the team mitigates this by using multiple SPAN ports and aggregating traffic. The IDS also helps in forensic investigations: when an incident is reported, the team queries the IDS logs to find the source IP and timestamp. The IDS uses a combination of signatures (e.g., for known malware) and anomaly detection (e.g., sudden increase in traffic to a new external IP).
Enterprise Scenario 3: Cloud-based IPS for a SaaS Company
A SaaS company deploys a virtual IPS in AWS (using AWS Network Firewall) to protect its VPC. The IPS is deployed inline in the VPC's internet gateway route table. All traffic entering and leaving the VPC is inspected. The IPS rules are managed via AWS Firewall Manager, with centralized policy across multiple accounts. The company uses threat intelligence feeds to update signatures automatically. The IPS is configured to block known malicious IPs (using a threat list) and to alert on suspicious patterns (e.g., excessive login attempts). Performance scales with the number of firewall endpoints; the company monitors throughput and scales horizontally by adding more Availability Zones. A common misconfiguration is failing to update the route tables correctly, causing traffic to bypass the IPS. The team uses AWS CloudWatch to monitor dropped packets and false positive rates.
N10-009 Objective 4.3: Compare and contrast IDS and IPS
The exam tests your ability to differentiate between IDS and IPS based on deployment, action, and impact. Key points that appear verbatim:
IDS is passive (out-of-band); IPS is active (inline).
IDS cannot stop attacks; IPS can block/drop.
IDS uses SPAN or tap; IPS is placed inline.
IDS does not affect traffic flow; IPS adds latency.
Both use signature and anomaly detection.
Both generate alerts, but IPS can also take action.
Common Wrong Answers and Why Candidates Choose Them
"IDS can block traffic by sending TCP resets." – Wrong: IDS is passive and cannot send packets into the traffic stream. Some older hybrid systems could, but the exam considers IDS as purely passive. Candidates confuse inline IDS (which doesn't exist in pure form) with IPS.
"IPS is deployed using a SPAN port." – Wrong: SPAN ports are for monitoring (passive). IPS must be inline to block traffic. Candidates think both can use SPAN because they see diagrams with both connected to switches.
"Both IDS and IPS have the same effect on network performance." – Wrong: IDS has no impact; IPS adds latency. Candidates assume both inspect traffic, so both must slow things down.
"An IPS can only alert, not block." – Wrong: IPS can block; that's its primary advantage. Candidates confuse IPS with IDS.
Specific Numbers and Terms to Memorize
SPAN port: Also called port mirroring. May drop packets under load.
Network tap: Provides a true copy; no packet loss.
Inline: The device is in the traffic path.
Passive: The device receives a copy.
Signature-based detection: Matches known patterns.
Anomaly-based detection: Baselines normal traffic.
Edge Cases and Exceptions
What if an IPS fails? Traffic stops unless a bypass switch is used.
Can an IDS be used inline? In theory, yes, but then it becomes an IPS. The exam expects IDS = passive, IPS = inline.
What about host-based IDS/IPS (HIDS/HIPS)? They run on endpoints and monitor system calls. The exam focuses on network-based (NIDS/NIPS).
Evasion techniques: Attackers fragment packets or use encryption. IDS/IPS must reassemble and decrypt if possible.
How to Eliminate Wrong Answers
If the question mentions "blocking" or "preventing" attacks, the answer must involve IPS.
If the question mentions "monitoring" or "detecting" without action, the answer is IDS.
If the question mentions "impact on network performance", IDS has none; IPS adds latency.
If the question mentions "deployment", IDS uses SPAN/tap; IPS uses inline.
Look for keywords: "out-of-band" = IDS, "in-band" = IPS.
IDS is passive (out-of-band) and only alerts; IPS is active (inline) and can block traffic.
IDS uses a SPAN port or network tap; IPS is placed inline between network devices.
Both use signature-based, anomaly-based, and protocol analysis detection methods.
IPS adds latency to traffic; IDS does not affect network performance.
False positives in IPS can block legitimate traffic; false positives in IDS only generate alerts.
On the N10-009 exam, remember: IDS = detect, IPS = prevent.
Network taps provide a true copy of traffic without packet loss; SPAN ports may drop packets under load.
Host-based IDS/IPS (HIDS/HIPS) monitor system calls on endpoints; network-based IDS/IPS monitor network traffic.
These come up on the exam all the time. Here's how to tell them apart.
IDS (Intrusion Detection System)
Passive monitoring: receives a copy of traffic via SPAN or tap.
Cannot block or prevent attacks; only alerts.
No impact on network latency or throughput.
Commonly used for forensic analysis and compliance monitoring.
Not a single point of failure; failure does not affect traffic flow.
IPS (Intrusion Prevention System)
Active inline deployment: all traffic passes through the device.
Can block, drop, or reset malicious traffic in real time.
Adds latency (microseconds) due to deep packet inspection.
Used for real-time threat prevention at network perimeters.
Single point of failure; requires bypass or failover for high availability.
Mistake
IDS can block malicious traffic by sending TCP reset packets.
Correct
A pure IDS is passive and cannot inject packets into the traffic stream. It can only log and alert. Some IPS systems can send TCP resets, but that is an IPS function. The N10-009 exam strictly separates IDS (passive) from IPS (active).
Mistake
IPS is deployed using a SPAN port just like IDS.
Correct
IPS must be deployed inline, meaning all traffic physically or logically passes through it. A SPAN port provides a copy of traffic and is used for IDS. Placing an IPS on a SPAN port would make it an IDS because it cannot block traffic it only sees a copy of.
Mistake
Both IDS and IPS add the same amount of latency to network traffic.
Correct
An IDS is passive and does not sit in the traffic path, so it adds zero latency to the original traffic flow. An IPS is inline and must process each packet before forwarding, adding latency (typically 50-500 microseconds). This is a key exam distinction.
Mistake
An IPS can only alert and cannot drop packets.
Correct
An IPS is designed to take active countermeasures, including dropping packets, resetting connections, and blocking IP addresses. Alerting is an option, but the primary advantage of IPS over IDS is its ability to prevent attacks in real time.
Mistake
Signature-based detection is the only method used by IDS/IPS.
Correct
Both IDS and IPS use multiple detection methods: signature-based, anomaly-based, and stateful protocol analysis. The exam expects you to know all three. Signature-based detects known attacks; anomaly-based detects unknown attacks by comparing to a baseline; protocol analysis detects protocol violations.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The key difference is deployment and action: IDS is passive (monitors traffic via SPAN/tap) and only alerts; IPS is inline (sits in the traffic path) and can block or drop malicious packets. The exam expects you to choose the correct system based on whether the requirement is to detect or to prevent.
Technically, you can place an IDS device inline, but then it becomes an IPS because it can now affect traffic. The CompTIA Network+ exam treats IDS as strictly passive and IPS as strictly inline. If a question says 'inline', the answer is IPS; if 'passive', the answer is IDS.
A SPAN (Switched Port Analyzer) port is a feature on managed switches that copies traffic from one or more source ports to a destination port. It is used to connect an IDS so that it can monitor traffic without being in the data path. However, SPAN ports can drop packets under heavy load, so network taps are preferred for critical deployments.
A network tap is a hardware device that splits the signal, sending the original traffic to its destination and a copy to the monitoring device (IDS). It provides a true copy without introducing latency or packet loss, unlike SPAN ports which may drop packets when the aggregated traffic exceeds the port capacity. Taps are used in high-security environments.
An IPS handles false positives by allowing administrators to tune signatures—for example, by disabling a signature, adjusting its threshold, or adding exceptions (whitelisting). False positives are more critical in IPS than IDS because they can block legitimate traffic. The exam emphasizes that IPS false positives can cause denial of service.
Both use three main methods: signature-based detection (matching known attack patterns), anomaly-based detection (comparing traffic to a baseline of normal behavior), and stateful protocol analysis (checking for protocol violations). The exam expects you to know these and that signature-based cannot detect zero-day attacks, while anomaly-based can.
A bypass switch is used to ensure network availability if the IPS fails. If the IPS loses power or becomes unresponsive, the bypass switch automatically routes traffic around the IPS, preventing a single point of failure. This is important for high-availability environments and is a common exam topic.
You've just covered IDS vs IPS Deployment Modes — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?