Chapter 63 · Security Advisory

Intrusion Prevention

IDS vs. IPS, fail-open vs. fail-closed, and active vs. passive monitoring — the architectural decisions that determine whether your network detects attacks or stops them.

IPS-2024-001
IDS vs. IPS — Detection Versus Prevention
Severity: Critical

What an IPS Does

An Intrusion Prevention System (IPS) watches network traffic as it traverses the network in real time. Every packet that passes through the IPS is evaluated against a set of known attack signatures and behavioral rules. If the traffic matches a dangerous pattern — an exploit targeting a known operating system vulnerability, an application-level attack, a buffer overflow attempt, a SQL injection payload, cross-site scripting code — the IPS blocks that traffic immediately, before it reaches its destination.

The key operational characteristic of an IPS: it can act. When the IPS identifies a threat, it drops the malicious traffic right there. The destination server never sees the packet. The attack is stopped at the network layer, not at the endpoint.

What an IPS can detect and block:

  • Known exploit signatures: Attack code targeting specific CVEs in operating systems (Windows, Linux), network services (Apache, OpenSSL), and applications (web frameworks, database clients). Signature databases are updated continuously as new exploits are discovered.
  • Protocol anomalies: Traffic that violates protocol specifications — malformed HTTP requests, invalid packet headers, fragmentation patterns used to evade detection. Protocol anomaly detection catches zero-day exploits that don't match signatures but do violate protocol rules.
  • Application-layer attacks: Buffer overflows, SQL injection, cross-site scripting, command injection. The IPS inspects the payload of packets, not just their headers — allowing detection of attacks embedded in otherwise legitimate-looking connections.
  • Behavioral patterns: Port scans, connection rate anomalies, unusual traffic volumes. A single host sending connection attempts to hundreds of ports in seconds is behaving like a scanner regardless of what signatures match.

IDS — When Detection Without Prevention Is the Goal

An Intrusion Detection System (IDS) performs the same analysis as an IPS — it watches traffic, compares it against signatures and behavioral rules, and identifies threats. The critical difference: an IDS can only alert. It cannot block traffic.

When an IDS identifies a suspicious or malicious packet, it generates an alert — an entry in a log, a notification to a SIEM, an email or page to the security team. The packet, however, continues to its destination. The IDS has observed the attack and raised an alarm, but the attack proceeded.

This is not a design flaw — it is a deliberate operational choice with legitimate use cases:

  • When blocking is too risky: In environments where false positives (legitimate traffic incorrectly identified as an attack) would cause significant disruption, passive detection allows the security team to investigate and confirm before taking action. A hospital network where a false positive blocks clinical communication is a safety risk — passive monitoring lets humans make the blocking decision.
  • When traffic cannot be routed inline: Some network architectures do not permit a security device to sit in the traffic path — high-speed links, legacy network topologies, or environments where adding latency is unacceptable. Passive IDS monitors a copy of traffic without being in the path.
  • For full packet capture and forensics: An IDS can capture full packet data for later forensic analysis, recording everything that traversed the network for investigation after an incident.
The fundamental trade-off: IPS stops attacks but risks blocking legitimate traffic (false positives). IDS never blocks legitimate traffic but also never stops attacks in real time. The choice between them is not a question of which is "better" — it is a question of which risk the organization prefers to accept: operational disruption from false positives, or attack completion from false negatives.
IPS-2024-002
Failure Modes — Fail-Open vs. Fail-Closed
Severity: High

The Problem with Inline Devices

An IPS placed inline — sitting directly in the traffic path between the firewall and the core switch — inspects every packet on that link. While it is functioning, this provides real-time prevention. But inline devices introduce a critical architectural dependency: if the device fails, what happens to the network?

Unlike a passive sensor that can fail silently with no effect on network traffic, an inline device is physically in the path of traffic. Hardware faults, software crashes, power failures, and resource exhaustion can all cause an inline IPS to become unavailable. The device's behavior during failure — its failure mode — determines whether the network keeps running or goes dark.

Fail-Open

A fail-open device, when it fails or becomes unavailable, allows traffic to continue flowing through it as if it were not there. The security inspection stops — no packets are evaluated, no attacks are blocked — but the network connection is maintained. Traffic passes through the now-passive device without inspection.

The fail-open scenario, in practice:

  • IPS hardware fails at 2:00 PM on a Friday
  • Traffic continues to flow through the link — users remain connected, applications keep running
  • No security inspection is occurring — the IPS is effectively transparent glass
  • An attacker who happens to exploit a vulnerability during this window has no IPS blocking them
  • The failure is eventually detected; the IPS is repaired or replaced

When fail-open is preferred: Most enterprise networks default to fail-open because availability is prioritized. A network that goes dark every time a security device fails is operationally unsustainable. The security team accepts that there will be brief windows of uninspected traffic — the risk is managed by having other security layers (firewalls, endpoint protection) still in place.

Fail-Closed

A fail-closed device, when it fails, severs the network connection it is monitoring. Traffic stops flowing through that link. The security function is preserved in the sense that no unexamined traffic passes — but the availability of everything on the other side of that link is also gone.

The fail-closed scenario:

  • IPS hardware fails at 2:00 PM on a Friday
  • The network link is severed — no traffic flows through that segment
  • Everything behind the IPS is unreachable: internal users lose connectivity, servers become inaccessible
  • The network remains down until the IPS is repaired, replaced, or bypassed

When fail-closed is preferred: High-security environments where the risk of unexamined traffic reaching internal systems is greater than the risk of network downtime. A classified government network, a financial trading system during non-trading hours, or a segment protecting critical infrastructure may accept network unavailability rather than allow uninspected traffic. The organization must have a documented process for handling the device failure quickly.

Fail-open vs. fail-closed is a security vs. availability trade-off: Fail-open prioritizes availability (the network stays up) at the cost of temporary security gap. Fail-closed prioritizes security (no uninspected traffic) at the cost of availability (the network goes down). There is no universally correct choice — the right answer depends on which risk is less acceptable for the specific environment. Always check the vendor documentation: the default failure behavior is a device-specific characteristic, not something you can assume.
IPS-2024-003
Active vs. Passive Monitoring — Inline and Out-of-Band Configurations
Severity: High

Active Monitoring (Inline)

In an active monitoring configuration, the IPS is placed directly in the traffic path — inline between network segments. All traffic flowing between those segments must pass through the IPS. The device sits between the firewall and the core switch, or between network segments, examining every packet before forwarding it.

The active monitoring traffic flow:

  • Traffic arrives at the IPS from the upstream device (firewall or router)
  • The IPS evaluates the packet against its rules and signatures
  • If the traffic is legitimate: forwarded to the downstream device (core switch)
  • If the traffic is malicious: dropped immediately — it never reaches the downstream device

Active monitoring is the default configuration for IPS deployments — prevention requires inline placement. The disadvantage is the dependency it creates: the IPS is now a single point in the traffic path, and its failure behavior (fail-open or fail-closed) directly impacts network availability.

Passive Monitoring (Out-of-Band)

In a passive monitoring configuration, the IPS (or IDS) is not in the traffic path at all. Instead, it receives a copy of traffic from a switch or tap while the original traffic flows to its destination normally.

Passive monitoring is commonly called "IDS mode" even when the device itself is an IPS — because the out-of-band position prevents it from blocking traffic in real time. The device can detect and alert, but cannot prevent.

Two methods for sending traffic copies to a passive monitor:

  • SPAN port (Switch Port Analyzer) / Port mirror: A feature built into managed switches. The switch duplicates all traffic from a specified port (or set of ports) and sends an exact copy to a designated monitoring port. The monitoring device (IPS/IDS) is connected to the SPAN port and receives all duplicated traffic. This is a software configuration on the switch — no additional hardware required. The limitation: SPAN ports can drop packets under heavy load if the switch's backplane becomes saturated.
  • Network tap (physical tap): A hardware device inserted directly into a physical network cable. The tap passively copies all electrical or optical signals passing through the cable and sends a copy to the monitoring device. Because a tap operates at the physical layer (Layer 1), it is completely transparent — it cannot fail in a way that disrupts traffic (there is no active processing that can crash). Physical taps are preferred for high-fidelity monitoring on critical links where dropped packets from SPAN congestion would create blind spots.

Comparing Active and Passive Monitoring

The traffic path in passive monitoring makes the operational difference clear:

  • Active (inline): Client → Switch → IPS → Firewall → Internet. The IPS is in the middle. It can intercept and drop packets.
  • Passive (SPAN): Client → Switch → Firewall → Internet (normal path). Switch also → copy → IPS (analysis path). The IPS receives a duplicate. The original packet is already at the firewall before the IPS finishes evaluating the copy.

In passive mode, by the time the IPS identifies a malicious packet and generates an alert, that packet has already been delivered to its destination. The alert is valuable — the security team now knows an attack occurred, can investigate, and can take action against the attacker — but the attack was not stopped in transit.

Active = IPS behavior. Passive = IDS behavior. The device hardware may be identical — an IPS appliance can operate in either mode. What determines whether you have an IPS or an IDS in practice is the deployment: inline (active) or out-of-band (passive). An IPS deployed passively is operationally an IDS — it cannot prevent anything. This is the source of the exam's IDS/IPS questions: the critical difference is not the hardware, it is the position in the network.