The once completely isolated network now connects the whole world. This ubiquitous connection enables enterprises to accomplish tasks unimaginable in the past. However, there is also a dark side. Internet has become a paradise for cyber criminals.

These cyber criminals used this connection to launch an unprecedented attack on enterprises. When the Internet first became popular, enterprises began to realize that they should use firewalls to prevent attacks on them. Firewalls work by blocking unused TCP and UDP ports. Although firewalls are effective in blocking certain ports, some ports are useful for HTTP, SMTP and POP3 communication. In order to ensure the normal operation of these services, the corresponding ports of these commonly used services must be kept open. The problem is that hackers have learned how to let malicious communication pass through these usually open ports.

In order to deal with this threat, some companies began to apply Intrusion Detection System (IDS). The idea of IDS is to monitor all traffic passing through the firewall and look for potential malicious traffic. This idea is good in theory, but in practice, for some reasons, IDS system does not work well.

Early IDS systems worked by looking for any abnormal communication. When abnormal communication is detected, this operation will be recorded and an alarm will be issued to the administrator. There are few problems in this process. First of all, finding abnormal communication methods will produce many wrong reports. After a period of time, the administrator will get tired of receiving too many false alarms, thus completely ignoring the warnings of the IDS system.

In the past few years, IDS system has made great progress. At present, the working mode of IDS system is more like an antivirus software. IDS system contains a database called attack characteristics. The system constantly compares the incoming communication with the information in the database. If an attack is detected, the IDS system will report the attack.

The new IDS system is more accurate than the previous system. However, this database needs to be constantly updated to remain effective. In addition, if an attack occurs and there is no matching signature in the database, the attack may be ignored. Even if this attack is detected and proved to be an attack, IDS system has no right to do anything except warn administrators and record this attack.

This is the task of Intrusion Prevention System (IPS). IPS is similar to IDS, but it solves some defects of IDS in design.

First, IPS is located between the firewall and network devices. In this way, if an attack is detected, IPS will stop malicious communication before it spreads to other parts of the network. In contrast, IDS only exists outside your network, playing the role of alarm, not as a defense in front of your network.

IPS detects attacks in a different way from IDS. At present, there are many IPS systems, all of which adopt different technologies. Generally speaking, however, IPS systems rely on the detection of data packets. IPS will examine the packets entering the network, determine the real purpose of such packets, and then decide whether to allow such packets to enter your network.

As you can see, there are some important differences between IDS and IPS systems.