Chapter 63 Β· Concepts

Intrusion Prevention β€” Concept Reference

IDS vs. IPS, failure modes, monitoring configurations, and detection methods in structured reference form.

IDS vs. IPS β€” Core Comparison

AttributeIDS (Intrusion Detection System)IPS (Intrusion Prevention System)
Primary functionDetect and alertDetect and block
Action on threatGenerates alert / log entry; traffic continues to destinationDrops malicious packet; traffic never reaches destination
Network positionOut-of-band (passive) β€” receives traffic copyInline (active) β€” sits in traffic path
Effect on trafficNone β€” does not touch the traffic pathAdds latency; failure behavior affects network availability
Failure impactMonitoring stops; network unaffectedDepends on failure mode: fail-open (traffic continues) or fail-closed (traffic stops)
False positive impactSpurious alert (annoyance; no operational impact)Blocked legitimate traffic (operational incident)
False negative impactAttack not detected (same as IPS)Attack not blocked AND not detected
Best use caseWhen inline placement is not feasible; high-sensitivity environments where false positives would cause disruption; forensics and full packet captureWhen active prevention is required; standard perimeter and segment boundary deployment
Real-time prevention?NoYes (inline only)

Key insight: An IPS deployed in passive (out-of-band) mode behaves identically to an IDS β€” it can alert but not block. The device label matters less than the deployment position.

Failure Modes β€” Fail-Open vs. Fail-Closed

AttributeFail-OpenFail-Closed
What happens on device failureTraffic continues to flow through the device uninspectedTraffic stops; network link is severed
Security impactNo inspection during the failure window; attacks may pass undetectedNo uninspected traffic passes; protected segment is fully isolated
Availability impactNetwork remains up; users unaffected (beyond loss of security)Network goes down; users and services behind the device are unreachable
Preferred whenAvailability is prioritized; other security layers (firewalls, endpoint protection) provide defense in depth; typical enterprise networksSecurity is prioritized over availability; classified networks, critical infrastructure, high-value targets where uninspected access is unacceptable
Operational requirementRapid detection and repair of device failure; monitoring to detect when security inspection stopsRapid repair or bypass procedure; documented failover plan to restore network when device is down
Risk acceptedBrief window of uninspected traffic during failureNetwork downtime until device is restored
Most common choiceYes β€” most enterprise environments prefer fail-openLess common; high-security/classified environments

Active vs. Passive Monitoring β€” Configuration Reference

AttributeActive Monitoring (Inline)Passive Monitoring (Out-of-Band)
Device positionIn the traffic path between network segmentsConnected to a SPAN port or network tap; not in the traffic path
Traffic receivedAll actual traffic β€” the device forwards or drops each packetCopies of traffic β€” the original continues to its destination regardless
Can block in real time?Yes β€” drops packets before they reach the destinationNo β€” original packet is already delivered before analysis completes
Effect on availabilityDevice failure affects network availability (fail-open/fail-closed)Device failure has no effect on network availability
Latency addedSmall but measurable β€” every packet is processed before forwardingNone β€” monitoring device is not in the forwarding path
Typical useIPS for active prevention at network boundariesIDS for monitoring; passive IPS; forensic capture; compliance logging
Equivalent behaviorIPS (prevention)IDS (detection only), even if device hardware is an IPS

Traffic Copy Methods β€” SPAN vs. Physical Tap

AttributeSPAN Port (Port Mirror)Physical Network Tap
How it worksSwitch software duplicates specified port traffic to a monitoring portHardware device inserted into a cable; passively copies all signals at Layer 1
ImplementationSoftware configuration on a managed switch β€” no new hardware requiredRequires physical hardware installation in the cable run
Packet capture fidelityCan drop packets under heavy load (SPAN has lower priority than normal forwarding)100% fidelity β€” captures every bit on the wire; never drops packets
Effect on network if device failsNone β€” SPAN is a software copy; original traffic unaffectedNone β€” passive taps are designed to pass traffic even with power loss
FlexibilityEasily reconfigured to monitor different ports via software changeFixed to a specific cable segment; reconfiguration requires physical work
Best forGeneral monitoring; easy deployment; environments where occasional dropped copies are acceptableForensics; compliance; high-fidelity monitoring on critical links where no packets can be missed
CostNo additional hardware cost if switch supports SPANHardware cost per tap location

Detection Methods β€” Signature vs. Anomaly

AttributeSignature-BasedAnomaly-Based
How it detectsMatches traffic against a database of known attack patternsCompares traffic to a baseline of normal behavior; flags deviations
Zero-day detectionNo β€” cannot detect attacks with no existing signatureYes β€” novel attacks deviate from normal behavior even without a signature
False positive rateLow for known threats β€” if the signature matches, the threat is knownHigher β€” legitimate but unusual activity can trigger alerts
Maintenance requiredContinuous signature updates as new threats are discoveredOngoing baseline calibration; re-baselining after major network changes
Evasion riskAttackers can modify exploits to avoid matching known signaturesHarder to evade β€” attacker must mimic normal behavior to avoid detection
Best forKnown malware families, known exploit frameworks, compliance requirements for specific threat detectionDetecting novel attacks, insider threats, behavioral anomalies, C2 communications with unusual patterns

IPS Traffic Flow β€” Active vs. Passive Paths

Understanding the traffic path is the foundation of IDS/IPS questions. Memorize which path allows blocking and which does not.

Active (inline) path:

Internet β†’ Firewall β†’ [IPS inline] β†’ Core Switch β†’ Internal hosts
                              β†‘
                    Malicious packet dropped HERE
                    Never reaches the core switch

Passive (out-of-band) path:

Internet β†’ Firewall β†’ Core Switch β†’ Internal hosts (original traffic β€” always delivered)
                          β†“ SPAN copy
                          IDS/IPS (analysis only β€” generates alert, cannot block)

The rule: If the monitoring device is in the path (between two devices), it is active and can block. If the monitoring device is receiving a copy (connected to a SPAN port or tap), it is passive and can only alert. The position in the network determines the capability.