Determining a Choice between an IDS or an IPS
Although on the surface, an IPS and an IDS appear to be similar
technologies, when their functions and placement within a network are
examined it becomes obvious that they are quite different. An IPS bears a
similarity to an enterprise-level firewall in that the technology
typically uses rules to determine what types of traffic to allow or deny
access. As such, an IPS, like a firewall, can be considered a control
tool. An IDS behaves more like a protocol analyzer and can help a
security manager gain in-depth knowledge of what is happening on the
network, such as whether there have been security policy violations,
unauthorized traffic, or just a variety of configuration errors. Thus,
an IDS is more of an analysis tool.
Consider the scenario from Unit 2: You are the security administrator
for a medium-sized retail business with around 2,000 users. You already
have a firewall in place but are considering adding an additional layer
of security for your network. Which would you buy: an IDS or an IPS?
Which technology would be the bigger “bang for your buck,” given the
business focus, and why?