This chapter covers Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), two cornerstone technologies in network security. For the SY0-701 exam, objective 3.1 (Security Architecture) requires you to understand the differences, deployment modes, detection methods, and response actions of these systems. Mastering IDS vs. IPS is critical because they appear in scenario-based questions where you must choose the right tool for a given situation—often with tricky distractors. This chapter will give you the precise knowledge to differentiate them, understand their mechanisms, and apply them correctly in exam scenarios.
Jump to a section
Imagine a nightclub with a VIP section. The club has two security systems: a passive security guard who watches a camera feed and a bouncer who stands at the door. The security guard (IDS) sits in a back room, monitoring the camera feed. When he sees someone trying to sneak into the VIP area, he radios the manager, who then decides to send the bouncer to intervene. The guard never stops the person directly; he only reports. The bouncer (IPS), on the other hand, stands at the VIP door. When someone tries to enter without a pass, the bouncer physically blocks them and turns them away. The bouncer acts immediately, without waiting for a manager. The guard is cheaper to deploy, but he can be overwhelmed if multiple incidents happen at once, and his delay might allow a breach. The bouncer is more expensive and can cause false positives—turning away legitimate guests if his judgment is poor. In a network, an IDS (like the guard) monitors traffic and generates alerts for analysts to review and act upon, while an IPS (like the bouncer) sits inline and automatically blocks malicious traffic. The key difference: IDS is passive, IPS is active. Both are essential, but they serve different roles in a defense-in-depth strategy.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are security technologies that monitor network traffic for malicious activity. The fundamental difference is that an IDS is a passive monitoring system, while an IPS is an active inline system. An IDS only generates alerts when it detects suspicious activity; it does not take action to block or prevent the traffic. An IPS, on the other hand, sits directly in the traffic path and can automatically block or drop malicious packets in real time.
Both systems analyze network packets and compare them against signatures of known attacks or behavioral baselines. They are critical for detecting and preventing threats such as malware, exploits, and policy violations. On the SY0-701 exam, you must know the specific characteristics, advantages, and disadvantages of each, as well as the detection methods they use.
How They Work Mechanically
IDS Operation: - An IDS receives a copy of network traffic from a network tap or SPAN port. It does not sit inline, so traffic flows through the network without passing through the IDS. - The IDS processes packets, reassembles streams, and applies detection rules (signatures, anomaly baselines, or stateful protocol analysis). - When a match occurs, the IDS generates an alert and logs the event. It may also send notifications via email, syslog, or to a SIEM. - The IDS cannot drop or modify the malicious traffic; it only reports. Response depends on human intervention or external systems.
IPS Operation: - An IPS is deployed inline, meaning all traffic must pass through the IPS device. It acts as a bump in the wire. - The IPS inspects packets in real time and can take immediate action: drop the packet, reject the connection, reset the TCP session, or block the source IP. - IPS actions are automatic and occur within milliseconds, preventing the attack from reaching the target. - Because it is inline, a failure of the IPS can cause a network outage (unless configured in fail-open mode).
Key Components, Variants, and Standards
Detection Methods: - Signature-based: Compares traffic against known attack patterns (e.g., Snort rules). Effective for known threats but cannot detect zero-day attacks. - Anomaly-based: Establishes a baseline of normal traffic and flags deviations. Can detect novel attacks but has high false positive rates. - Behavioral-based: Monitors for specific behaviors (e.g., multiple failed logins, port scans) rather than packet content. - Stateful Protocol Analysis: Understands protocol states (e.g., TCP handshake) and detects violations (e.g., invalid flags).
Deployment Modes: - Network-based (NIDS/NIPS): Monitors traffic at network boundaries. Examines headers and payloads. - Host-based (HIDS/HIPS): Runs on individual endpoints, monitoring system logs, file integrity, and process activity. Examples: OSSEC (HIDS), Windows Defender Firewall with Advanced Security (HIPS). - Wireless (WIDS/WIPS): Monitors wireless traffic for rogue APs, deauthentication attacks, etc.
Response Actions (IPS): - Drop packet - Reject connection (sends TCP RST or ICMP unreachable) - Block source IP for a duration - Reset TCP session - Shun (block) traffic from a source
Standards and Tools: - Snort (open-source NIDS/NIPS) - Suricata (open-source, multi-threaded, supports file extraction) - Zeek (formerly Bro, focuses on network analysis) - Cisco Firepower (commercial NGFW with IPS) - McAfee Network Security Platform - RFC 2827 (ingress filtering) relates to IPS placement
How Attackers Evade and Defenders Deploy
Evasion Techniques: - Fragmentation: Split attack payload across multiple packets to evade signature matching. IDS/IPS must reassemble fragments correctly. - Encryption: Attackers use TLS/SSL to hide payload. IDS/IPS needs decryption capabilities (e.g., SSL inspection). - Obfuscation: Encoding payload (e.g., Unicode, base64) to bypass signature detection. - TTL manipulation: Send packets with short TTL so they expire before reaching the IPS but arrive at the target. - Polymorphic code: Attack payload changes each time, evading signature-based detection.
Defender Deployment: - Place NIDS/NIPS at network perimeter (behind firewall) and internal segments. - Use HIDS/HIPS on critical servers and endpoints. - Configure signatures for known CVEs (e.g., CVE-2014-0160 for Heartbleed). - Tune thresholds to reduce false positives. - Integrate with SIEM for centralized alerting.
Real Command/Tool Examples
Snort IDS rule example:
alert tcp any any -> $HOME_NET 80 (msg:"HTTP SQL Injection Attempt"; content:"union select"; nocase; sid:1000001; rev:1;)This rule alerts on TCP traffic to port 80 containing the string "union select" (SQL injection attempt).
Suricata IPS mode (inline):
drop tcp any any -> $HOME_NET 445 (msg:"EternalBlue Exploit"; content:"|00 00 00 31 ff 53 4d 42|"; sid:2000002; rev:1;)This rule drops packets to SMB port 445 containing the EternalBlue exploit pattern.
Checking Snort alerts:
tail -f /var/log/snort/alertZeek (Bro) script for HTTP detection:
event http_request(c: connection, method: string, uri: string) {
if (uri == "/admin") {
NOTICE([$note=Admin_Access, $conn=c, $msg="Admin page accessed"]);
}
}Deploying a Network IPS
Step 1: Identify placement. The IPS must be inline, typically after the firewall but before internal switches. For a perimeter IPS, connect it between the router and the firewall. For internal segmentation, place it between VLANs. Step 2: Configure the IPS interfaces. Assign one interface as the external (untrusted) and another as internal (trusted). Enable inline mode. Step 3: Define security policies. Create rules that specify which traffic to inspect, drop, or allow. Use pre-built signature sets (e.g., Emerging Threats, Snort VRT) and customize for your environment. Step 4: Enable logging and alerting. Send logs to a SIEM (e.g., Splunk, ELK) and configure email alerts for critical events. Step 5: Test in monitor-only mode first. Run the IPS as a passive IDS to observe alerts without dropping traffic. Tune signatures to reduce false positives. Step 6: Switch to inline mode after tuning. Monitor for performance impact (latency, throughput). Step 7: Regularly update signatures and review logs for missed detections.
Detecting an Attack with IDS
Step 1: An IDS sensor on a SPAN port captures all traffic from the core switch. Step 2: The IDS reassembles packets and applies detection rules. For example, a signature for EternalBlue (CVE-2017-0144) matches a packet with SMBv1 exploit code. Step 3: The IDS generates an alert: 'ET EXPLOIT Possible EternalBlue SMBv1 Exploit Attempt'. The alert includes source/destination IPs, ports, and payload snippet. Step 4: The alert is forwarded to a SIEM or email. Step 5: A security analyst reviews the alert, verifies the packet capture, and determines the attack is real. Step 6: The analyst manually blocks the source IP on the firewall or contacts the network team to isolate the affected host. Step 7: The analyst documents the incident and updates the IDS signatures if needed.
IPS Automatically Blocking Malware
Step 1: An IPS inline between the internet and internal network inspects all HTTP traffic. Step 2: A user clicks a malicious link and the browser requests a URL hosting a Trojan. Step 3: The IPS signature for 'Trojan.Downloader' matches the HTTP response payload. Step 4: The IPS drops the packet containing the malware payload and sends a TCP reset to the server. Step 5: The IPS logs the event: 'DROP Trojan.Downloader detected from 203.0.113.5:80 to 10.0.0.2:49152'. Step 6: The user's browser shows an error (connection reset). The download fails. Step 7: The IPS continues to block subsequent attempts from the same IP for a configured period (e.g., 24 hours).
Tuning False Positives
Step 1: After deployment, the IDS/IPS generates many false positives (e.g., legitimate admin tools flagged as malware). Step 2: The analyst reviews alerts and identifies patterns: e.g., a vulnerability scanner (Nessus) triggers multiple signatures. Step 3: The analyst creates an exception rule to whitelist the scanner's IP address. Step 4: For anomaly-based systems, the analyst adjusts the baseline threshold (e.g., increase the standard deviation multiplier for traffic volume). Step 5: Signature-based systems: the analyst disables or modifies overly broad signatures. Step 6: The analyst verifies that legitimate traffic is no longer flagged. Step 7: The analyst documents changes and schedules regular tuning reviews.
Responding to IDS Alert in SOC
Step 1: SOC analyst receives an IDS alert: 'Malicious SQL Injection Attempt on Web Server'. Step 2: Analyst checks the SIEM for context: source IP (external), destination (web server), time, and payload. Step 3: Analyst determines the alert is a true positive by correlating with web server logs (HTTP 200 with SQL error). Step 4: Analyst escalates to incident response team. Step 5: Incident response blocks the source IP on the firewall and isolates the web server. Step 6: Analyst creates a case in the ticketing system with all evidence. Step 7: After containment, analyst recommends implementing a WAF rule to prevent future SQL injection and updating IDS signatures.
Scenario 1: Retail Company PCI DSS Compliance A retail company must comply with PCI DSS requirement 11.4, which mandates intrusion detection/prevention systems. They deploy a network IPS (Cisco Firepower) inline at the internet perimeter. The IPS is configured with signatures for known payment card malware and SQL injection. One day, the IPS detects an attempted SQL injection on the e-commerce website's login page. Because it is inline, the IPS drops the malicious packets immediately, preventing data breach. The SOC analyst receives an alert and confirms the attack was blocked. The company logs this as a security event for compliance. A common mistake: organizations deploy an IDS instead of an IPS, failing PCI requirement for active prevention. The analyst must ensure the system is inline and not just monitoring.
Scenario 2: University Campus Network A university uses a Snort-based IDS on a SPAN port to monitor student dormitory traffic. The IDS alerts on peer-to-peer file sharing and potential malware downloads. The network team receives alerts but cannot block traffic automatically because the IDS is passive. They manually investigate and block offending IPs on the border router. During a large-scale malware outbreak (e.g., WannaCry), the IDS generates thousands of alerts, overwhelming the team. The response is delayed, and several student computers are encrypted. The mistake: using only an IDS without an IPS for automatic blocking in a high-volume environment. The solution: deploy an IPS inline at the campus internet gateway to automatically drop malicious traffic.
Scenario 3: Healthcare Hospital HIDS A hospital deploys host-based IDS (OSSEC) on critical servers (EHR, PACS). The HIDS monitors file integrity, registry changes, and login attempts. An attacker gains access to a workstation and tries to escalate privileges on the domain controller. The HIDS on the domain controller detects multiple failed logins followed by a successful admin login from an unusual IP. It generates an alert, but because it's a HIDS, it cannot block the login. The security team receives the alert after 30 minutes, by which time the attacker has exfiltrated patient data. The mistake: relying solely on HIDS without an HIPS or network IPS to block the attack in real time. The hospital later implements Windows Defender Firewall with IPS capabilities to block suspicious inbound connections.
SY0-701 Objective 3.1 (Security Architecture) tests your ability to compare and contrast IDS and IPS. Key sub-objectives: Understand the differences in deployment (inline vs. passive), detection methods (signature, anomaly, behavioral, stateful), and response (alert vs. block). Also know host-based vs. network-based variants.
Common Wrong Answers & Why Candidates Choose Them: 1. 'IDS can block traffic' – Candidates confuse IDS with IPS. IDS is passive; it cannot block. The exam will present a scenario where blocking is required, and the correct answer is IPS. 2. 'IPS is always better than IDS' – While IPS provides active protection, it can introduce latency and false positives that disrupt legitimate traffic. IDS is better for environments where blocking is not acceptable (e.g., forensic analysis). 3. 'Signature-based detection is best for zero-day attacks' – Signature-based only detects known attacks. Anomaly-based is better for zero-days. Candidates often pick signature-based because it's more common. 4. 'HIDS is the same as antivirus' – HIDS monitors system behavior and file integrity, while antivirus focuses on malware signatures. HIDS may detect unauthorized changes but not necessarily malware.
Specific Terms & Values: - Inline vs. passive (tap/SPAN) - Signature, anomaly, behavioral, stateful protocol analysis - NIDS/NIPS, HIDS/HIPS, WIDS/WIPS - True positive, false positive, true negative, false negative - Snort, Suricata, Zeek - TCP reset, drop, reject, shun
Trick Questions: - 'Which system would you use to block a known exploit?' – IPS (not IDS). - 'Which system would you use to analyze traffic for forensic purposes?' – IDS (because it logs without interfering). - 'Which detection method is best for detecting a new polymorphic worm?' – Anomaly-based (not signature-based).
Decision Rule: If the question asks for a system that takes immediate action to stop an attack, choose IPS. If the question asks for monitoring, alerting, or forensic analysis, choose IDS. If the question mentions 'inline', it's IPS; if 'passive' or 'out-of-band', it's IDS. For host-based scenarios, choose HIDS/HIPS; for network-wide, choose NIDS/NIPS.
IDS is passive (out-of-band); IPS is active (inline).
IDS generates alerts; IPS can block traffic automatically.
Detection methods: signature-based, anomaly-based, behavioral, stateful protocol analysis.
Network-based (NIDS/NIPS) monitors network traffic; host-based (HIDS/HIPS) monitors endpoints.
Common tools: Snort (IDS/IPS), Suricata (IDS/IPS), Zeek (IDS).
False positives are a major challenge for both IDS and IPS, especially anomaly-based systems.
IPS can be configured in fail-open (bypass on failure) or fail-close (block all on failure) mode.
These come up on the exam all the time. Here's how to tell them apart.
IDS (Intrusion Detection System)
Passive monitoring: receives copy of traffic
Generates alerts only; no automatic blocking
Lower latency impact on network
Easier to deploy and maintain (no inline risk)
Better for forensic analysis and compliance
IPS (Intrusion Prevention System)
Inline deployment: traffic passes through device
Can automatically block, drop, or reject traffic
Adds latency; potential single point of failure
Requires careful tuning to avoid false positives
Provides active protection against threats
Mistake
An IDS can block malicious traffic if configured correctly.
Correct
An IDS is passive; it cannot block traffic. Only an IPS (inline) can block or drop packets. IDS generates alerts for manual response.
Mistake
IPS always improves security without drawbacks.
Correct
IPS can cause false positives that block legitimate traffic, and if it fails (e.g., power loss), it can cause network outages unless configured in fail-open mode. It also adds latency.
Mistake
Signature-based detection is effective against all attacks.
Correct
Signature-based detection only works against known attacks with defined patterns. It cannot detect zero-day attacks or heavily obfuscated variants.
Mistake
HIDS and antivirus are the same thing.
Correct
HIDS monitors system behavior, file integrity, and logs. Antivirus focuses on malware signatures and real-time file scanning. They complement each other but are not identical.
Mistake
An IDS placed inline can still function as an IDS.
Correct
If a device is inline, it is an IPS (or at least can act as one). An IDS is defined by its passive deployment. A device can operate in IDS mode even if inline (e.g., fail-open), but typically inline implies prevention capabilities.
The primary difference is deployment mode and response. IDS is passive, monitoring traffic via a SPAN port or tap, and only generates alerts. IPS is inline, meaning traffic flows through it, and it can automatically block or drop malicious packets. Think of IDS as a camera that records events, while IPS is a guard that stops intruders. On the exam, if the question asks for a system that 'detects and alerts,' choose IDS; if it asks for 'detects and prevents,' choose IPS.
Some IDS/IPS solutions (like Snort or Suricata) can operate in both modes depending on configuration. If the device is placed inline and configured to drop packets, it functions as an IPS. If it's passive and only logs, it's an IDS. However, the exam treats them as distinct: IDS is passive, IPS is inline. So on the exam, don't assume a device can switch modes unless explicitly stated.
A false positive occurs when the system flags legitimate traffic as malicious. For example, an IDS may alert on an internal vulnerability scanner that mimics attack patterns. False positives waste analyst time and can cause IPS to block legitimate traffic if not tuned. Reducing false positives is a key operational task. On the exam, you may be asked to choose a detection method that minimizes false positives (typically signature-based) or one that detects unknown attacks (anomaly-based, which has more false positives).
NIDS (Network-based IDS) monitors network traffic for all devices on a segment. HIDS (Host-based IDS) monitors activity on a single host, including system logs, file changes, and process execution. NIDS can see network-level attacks like port scans; HIDS can detect local privilege escalation or unauthorized file access. On the exam, if the scenario involves monitoring a specific server's file integrity, choose HIDS. If monitoring all traffic to and from a subnet, choose NIDS.
Stateful protocol analysis (also called deep packet inspection) understands the state of network protocols (e.g., TCP handshake, HTTP request/response) and detects anomalies like invalid flags or out-of-order packets. It is more sophisticated than simple signature matching but resource-intensive. On the exam, it's one of the four detection methods you need to know. It can detect attacks that violate protocol standards, such as a malformed packet that crashes a service.
Fail-open mode means if the IPS fails (e.g., power loss), traffic bypasses the device, ensuring network connectivity but losing protection. Fail-close means if the IPS fails, all traffic is blocked, preventing any potential attacks but causing a network outage. The choice depends on security vs. availability requirements. On the exam, you may need to recommend a mode based on the organization's priorities: fail-open for high availability, fail-close for high security.
Attackers use fragmentation, encryption, obfuscation, and TTL manipulation. For example, splitting a malicious payload across multiple packets can evade signature detection if the IDS/IPS doesn't reassemble fragments properly. Encryption (e.g., HTTPS) hides payload content unless the system performs SSL decryption. On the exam, you may be asked how to counter evasion: use SSL inspection, enable fragment reassembly, and normalize traffic.
You've just covered IDS vs IPS — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?