🛡️

IDS and IPS Overview

Sep 5, 2025

Overview

This lecture covers the essentials of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), their deployment, functions, and differences, along with practical considerations for maintaining and operating these systems.

IDS and IPS Fundamentals

  • IDS and IPS monitor network traffic to detect malicious activity.
  • IDS (Intrusion Detection System) only detects and alerts on threats, without taking direct action.
  • IPS (Intrusion Prevention System) can actively block or drop malicious traffic when detected.

Types and Deployment of IDS/IPS

  • Network-based IDS (NIDS) monitors traffic for a whole network segment or subnet.
  • Host-based IDS (HIDS) monitors traffic to and from a single host and checks for unauthorized file changes.
  • NIDS must be positioned to access relevant traffic, often via port mirroring on network switches.
  • NIDS requires two network interfaces: one for monitoring (promiscuous mode) and one for management.
  • NIPS (Network IPS) must be placed inline with the traffic to block threats; all monitored data passes through it.

Comparison with Firewalls

  • Firewalls block unwanted external traffic and enforce Access Control Lists (ACLs) between networks.
  • NIDS detects suspicious internal activity and has broader visibility within the network segment compared to firewalls.

Detection Mechanisms

  • Threat detection is mostly signature-based, similar to antivirus systems, using unique patterns in network traffic.
  • Signature-based methods are fast but can miss new or targeted attacks.
  • Custom rules can be created to flag suspicious, not necessarily malicious, behavior for further investigation.

IDS/IPS Management and Alerts

  • IT specialists must update IDS/IPS rules and signatures regularly.
  • When malicious traffic is detected, NIDS typically logs the event, triggers alerts, and may capture packets for analysis.
  • Severity of alerts determines response: email, ticket, or urgent page with reference information for investigation.

Key Terms & Definitions

  • IDS (Intrusion Detection System) — Monitors and alerts on malicious activity but does not block it.
  • IPS (Intrusion Prevention System) — Detects and blocks or drops malicious network traffic in real time.
  • NIDS (Network-based IDS) — Monitors network segment traffic for threats.
  • HIDS (Host-based IDS) — Monitors and analyzes activity on a single host.
  • Signature — Unique identifier/pattern of known malicious traffic.

Action Items / Next Steps

  • Review and update IDS/IPS rules and signature databases regularly.
  • Review network topology to ensure proper placement of IDS/IPS devices.
  • Revisit lecture concepts as needed for better understanding.

View note sourcehttps://d3c33hcgiwev3.cloudfront.net/RJ32igncTXiAmVT5ya1JRg.processed/full/720p/index.mp4?Expires=1757203200&Signature=FYTTqd6dot8vrHbbJkHv-bs4RX3WT8IjS64r0ZcXfo-9nrroxgS6LbTCBBCODnFru30-zzExdgb-6~cXDZjceu2OH33WN94rv7TnH9N5SociItqQS5RFu7vjoTNd5cjQub6gPl6qnzxukDEhjwpgvBVbhCbYBOJEB9z8qvxHJ9g_&Key-Pair-Id=APKAJLTNE6QMUY6HBC5A