Re: IDS versus IPS

londint · ‎12-14-2006

Hi All

Please what is the difference btween the 2.

If I have a Cat6509 with an IDSM-2 and then an ASA for all our external connection with an IPS what will each be monitoring?

Also can an IDS monitor external connection that will be plugged into the ASA. Thereby I dont need to buy a ASA5540 as the Cat6509 with IDSM-2 can also monitor external traffic. So I can then buy a ASA5550 and have the bandwidth advantage.

Is this correct.?

prchauha · ‎12-14-2006

hi,

the major difference between an IDS and an IPS is that, IDS sits in a promiscuous mode and an IPS sits in inline mode. So that implies that IDS will let the first threat packet into before it takes any action or fires an alert, this is because it would receive a copy of the packet for analysis and the actual packet would get in before any action is taken and the malicious traffic stream can be stopped from entering the network, where as an IPS box would even stop the initial threat packet from entering into your network, as it would be sitting in inline mode and all the traffic that enters your network would have to pass thru the IPS (i.e. the actual traffic, not a copy of it.), so the analysis would happen realtime and even the initial threat packet would be stopped from getting in.

Secondly if you already have an IDSM - II running, you can upgrade it to IPS version 5.x, then it would function as an IPS. This way you can buy an ASA5550 instead of an ASA5540, in future if you feel the need of an AIP-SSM module for you ASA, you can buy it or you can even buy an ASA with CSC-SSM module. In that case you have both your IDSM - II working as an IPS and ASA working as an Anti - X filter with the use of CSC-SSM.

cheers...!!!

--

Prashant Chauhan.