What is the difference between IPS, IDS and a firewall?

grapevine · ‎02-02-2014

Marvin Rhoads · ‎02-02-2014

The terms aren't precisely defiend in standards; but in general usage, here is a breakdown:

IPS - Intrusion Prevention System - inspects traffic flowing through a network and is capable of blocking or otherwise remediating flows that it determines are malicious. Usually uses a combination of traffic and file signatures and heuristic analysis of flows.

IDS - Intrusion Detection System - similar to IPS but does not affect flows in any way - only logs or alerts on malicious traffic.

Firewall- prevents or allows traffic between interfaces based on configured rules. Often have a network address translation function to isolate private (RFC 1918) network addresses from public ones. May inspect traffic for conformance with proper protocol behavior and drop non-compliant traffic. Firewalls often have an optional IDS/IPS component based on their usually being placed at the optimal network location to see all interesting traffic that should be subject to further inspection and analysis as is done by IDS/IPS.

Hope this helps.

Julio Carvajal · ‎02-02-2014

Hello Ranji,

I would like to add some more information about it that might help

IPS:

Intrusion Prevention System that receives traffic in such a way that can prevent it from reaching the different targets on your network.

As Marvin said works with Signatures written with high level Regex Patterns in order to identify known threaths.

It also provideds the heuristic analysis of low by sitting inline and seeing all traffic during an amount of time defined by the user where the IPS will build a database about what is known to be Traffc in order and when traffic might be Out of Order.

IDS:

Security Network Appliance in charge of monitor the network and determine whether or not an attack is in place.

Does not prevent the attack from reaching the different assets (altough there are some options to configure it to send RST packets on some platforms).

It does NOT receives the real traffic from client to server or server to client, it basically receives a copy from the network device attached to it (PC,SPAN session, TAP, Packet Brocker,etc)

Firewall:

The Network Security Appliance for Excellence.

Now days not just in charge of inspectioning trafic at level 3-4 and basic level 7 but actually going from level 2 to the Deep contents of the packets at layer 7 (Known as Next Generation Firewalls).

It's main function is to filter traffic through the network while still allowing some traffic to go through.

Remember that now days the Firewalls come with pre-built IPS engines (known as the UTM generation firewalls or Unified Threath Management) such as the Cisco ASA CX, SRXs, CheckPoints and one of the most valuable todays Palo Alto Firewalls.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Saurav Lodh · ‎02-21-2014

Agreed with Marvin and Julio.

ashukumar15267 · ‎03-09-2016

Agree on it. could you please provide me the configuration docs of IPS/IDS.

Marvin Rhoads · ‎03-09-2016

Configuration Guides are found on the various product support pages.

FirePOWER Management Center: http://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html

Cisco IPS (discontinued product): http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/idm/idmguide7/idm_collaboration.html#wp1054847

ashukumar15267 · ‎03-23-2016

I have to configure cisco IPS 7000 series. Do you know any setup and configurations docs.

Thanks for your help.

Marvin Rhoads · ‎03-23-2016

There are literally dozens of docs.

Start on the Product Support Page:

http://www.cisco.com/c/en/us/support/security/firepower-7000-series-appliances/tsd-products-support-series-home.html