IPS β Intrusion Prevention System
A network security device that monitors traffic in real time and can actively block traffic identified as malicious. An IPS is deployed inline β in the traffic path β so that it physically intercepts packets before they reach their destination. When the IPS matches a packet against a known attack signature or behavioral rule, it drops the packet immediately. The destination never receives the malicious traffic. Because it sits in the traffic path, an IPS introduces a dependency: its failure behavior (fail-open or fail-closed) determines what happens to network traffic when the device becomes unavailable. IPS is the correct tool when the goal is prevention β stopping attacks before they complete.
IDS β Intrusion Detection System
A network security device that monitors traffic and generates alerts when it identifies suspicious or malicious activity β but cannot block traffic. An IDS is typically deployed passively (out-of-band), receiving a copy of traffic from a SPAN port or network tap. Because it is not in the traffic path, an IDS failure has no effect on network availability. The trade-off: when an IDS identifies a malicious packet, that packet has already reached its destination. The IDS detected the attack but could not prevent it. IDS is the correct tool when the goal is detection and investigation, or when inline placement is not feasible. In practice, an IPS operated in passive mode behaves identically to an IDS.
Fail-Open
A failure mode in which a security device that becomes unavailable allows traffic to continue flowing through it without inspection. When a fail-open IPS fails β hardware fault, software crash, power loss β the device becomes transparent to the network: packets pass through as if the device were not there. Security inspection stops entirely, but network connectivity is maintained. Fail-open prioritizes availability over security during the failure window. Most enterprise networks prefer fail-open because network downtime has immediate operational impact, while the window of uninspected traffic (from failure to repair) is typically brief and mitigated by other security controls.
Fail-Closed
A failure mode in which a security device that becomes unavailable severs the network connection it is monitoring. When a fail-closed IPS fails, no traffic flows through that link β the network segment it protects goes dark until the device is restored. Fail-closed prioritizes security over availability: no unexamined traffic reaches the protected segment. This is preferred in high-security environments where the risk of uninspected traffic is greater than the risk of network downtime (classified networks, critical infrastructure controls, financial systems during sensitive operations). The engineering team must have a rapid repair or bypass procedure, because fail-closed means the network is down until the device is fixed.
Active Monitoring (Inline)
An IPS deployment configuration in which the device sits directly in the network traffic path between two segments. All traffic must pass through the device; the device evaluates each packet and either forwards it or drops it. Active monitoring enables real-time prevention: malicious packets are dropped before reaching their destination. This is the default configuration for IPS deployments. The consequence of active placement: the IPS is a single point of dependency for that network path, and its failure behavior (fail-open or fail-closed) directly impacts availability. Active monitoring is to IPS what inline is to firewall β the device is in the path and controls what passes.
Passive Monitoring (Out-of-Band)
An IDS/IPS deployment configuration in which the monitoring device receives a copy of network traffic rather than sitting in the traffic path. Traffic flows normally to its destination; simultaneously, a duplicate copy is sent to the monitoring device via a SPAN port or network tap. Because the monitoring device is not in the traffic path, its failure has no effect on network connectivity. The critical limitation: the monitoring device cannot block traffic in real time. By the time it analyzes a copy and identifies a threat, the original packet has already been delivered. Passive monitoring provides detection and alerting only β not prevention. An IPS operated in passive mode is functionally an IDS.
SPAN Port (Switch Port Analyzer) / Port Mirror
A managed switch feature that duplicates all traffic from one or more specified switch ports and delivers an exact copy to a designated monitoring port. The monitoring device (IDS/IPS, packet capture system, SIEM collector) connects to the SPAN port and receives traffic copies without being in the data path. No additional hardware is required β SPAN is a software configuration on the switch. Limitation: SPAN ports have lower priority than regular switch forwarding. Under heavy traffic load, the switch may drop SPAN copies to preserve normal traffic β creating gaps in monitoring visibility. For high-fidelity monitoring on critical links, a physical network tap is preferred over SPAN.
Network Tap (Physical Tap)
A hardware device inserted directly into a physical network cable (copper or fiber) that passively copies all signals passing through the cable and delivers them to a monitoring device. Unlike a SPAN port, a network tap operates at Layer 1 (the physical layer) and has no software processing that can crash or drop packets. A tap cannot fail in a way that disrupts traffic β even if the tap device loses power, the original cable connection typically remains intact (passive taps are designed this way). Taps provide 100% packet capture fidelity under any load, making them preferred over SPAN for forensics, compliance monitoring, and critical link visibility. The trade-off: requires physical hardware installation; cannot be reconfigured via software.
False Positive
An IDS/IPS alert or blocking action triggered by legitimate traffic that was incorrectly identified as malicious. False positives are the primary operational challenge in IPS tuning: an IPS configured with overly aggressive rules will block legitimate business traffic, causing application failures and user frustration. A false positive from a passive IDS is an annoyance (a spurious alert); a false positive from an inline IPS is an operational incident (blocked traffic). Reducing false positives requires careful signature tuning, creating exceptions for known-good traffic patterns, and continuous monitoring of what the IPS is blocking. False positive rate is one of the key factors when comparing IDS vs. IPS deployment decisions.
False Negative
A failure of an IDS/IPS to detect or block traffic that is actually malicious. A false negative means an attack passes through the monitoring device without generating an alert or being blocked. False negatives occur when: an attack uses a technique not covered by the signature database (zero-day exploit), the attacker uses evasion techniques (packet fragmentation, protocol obfuscation, encryption) to bypass detection, or the detection threshold is set too permissively to avoid false positives. The trade-off between false positives and false negatives is the fundamental tuning challenge for intrusion detection: reducing false positives (by loosening rules) increases false negatives, and vice versa.
Signature-Based Detection
An IDS/IPS detection method that compares traffic against a database of known attack patterns (signatures). Each signature describes a specific exploit, vulnerability, or attack technique β a specific byte sequence, a particular HTTP request pattern, a known malicious payload. When traffic matches a signature, an alert is generated or the traffic is blocked. Strengths: very low false positive rate for known attacks; deterministic β if traffic matches the signature, it is flagged. Weaknesses: completely blind to attacks for which no signature exists (zero-days); requires continuous signature updates as new threats are discovered. Signature databases are maintained by security vendors and updated as new exploits are published.
Anomaly-Based Detection
An IDS/IPS detection method that establishes a baseline of "normal" network behavior and generates alerts when traffic deviates significantly from that baseline. Rather than matching against known attack signatures, anomaly detection asks: "Is this traffic unusual compared to what we normally see?" A host that suddenly sends connection attempts to 500 other hosts is anomalous even if none of those connections match a known exploit signature. Strengths: can detect novel attacks and zero-days that have no signatures; does not require signature updates. Weaknesses: higher false positive rate (legitimate but unusual traffic triggers alerts); requires a stable, well-characterized baseline of normal behavior to be effective; new systems or behavioral changes require re-baselining.