Which of the following best describes how an IPS is similar to an IDS? (Select the best answer.)
- They both sit in the path of network traffic.
- Neither sits in the path of network traffic.
- They both prevent malicious traffic from infiltrating the network.
- They can both use signatures to detect malicious traffic.
Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) devices are similar in that they can both use signatures to detect malicious traffic. Patternmatching IDS and IPS devices use specific strings of text called signatures to detect malicious traffic. The primary benefit of signaturebased detection methods is that the number of false positives generated is typically low. However, signaturebased detection methods do not provide adequate protection against new attacks. Although signatures can be added as new threats are found, there is always a delay between the time a threat is released and the time a signature is developed to detect the threat.
IPS devices typically sit inline in the path of network traffic? however, IDS devices typically do not. Because traffic flows through an IPS, an IPS can detect malicious traffic as it enters the IPS device and can prevent the malicious traffic from infiltrating the network. An IPS can work in conjunction with a network firewall? however, Cisco recommends deploying an IPS on the inside interface of the firewall in order to prevent the IPS from wasting resources by analyzing traffic that will ultimately be blocked by the firewall. This enables the IPS to efficiently analyze the traffic that the firewall permits onto the network, rather than processing every inbound packet.
By contrast, an IDS device merely sniffs the network traffic by using a promiscuous network interface. Because network traffic does not flow through an IDS device, the IDS device can detect malicious traffic but cannot prevent it from infiltrating the network. When an IDS detects malicious traffic, it can alert other network devices in the traffic path so that further traffic can be blocked. In addition, an IDS can be configured to send a Transmission Control Protocol (TCP) reset notification or an Internet Control Message Protocol (ICMP) unreachable message to the source and destination addresses.
Protocolbehavior IDS and IPS devices use rules to detect protocol traffic that does not follow standard methods of operation. The rules used by protocolbehavior devices are usually based on the Request for Comment (RFC) documents that define each protocol. Although protocolbehavior devices can detect nonstandard traffic, there is no way to know for sure whether the traffic is caused by a malicious user or by a poorly coded application. Therefore, protocolbehavior devices have a higher rate of false positives.
Anomalydetection IDS and IPS devices detect abnormalities in network traffic behavior. To enable anomalydetection devices to detect abnormalities in traffic, the devices must first take a baseline reading of what normal network traffic patterns are like. Once the baseline is taken, an anomalydetection device will compare future traffic against the baseline to detect abnormal traffic flows. Anomalydetection devices have a higher false positive rate, but they are capable of detecting new attacks.