What is the difference between an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)?
Both systems are security tools that are designed to identify network security threats. Both of the tools evaluate the network traffic and compare that against known signatures, patterns and other aspects to determine if the traffic may be a malicious attacker worming their way into your network.
Where these tools differ is in what they do with the network traffic. Both systems provide reports and alerts to the operator. However, that is where it ends with an IDS system. With the IPS, the product is designed to take proactive action against the patterns that reach a predefined threshold. This concept is known as the “active / passive” scenario. Active of course being the IPS where an action is taken and passive being an IDS, or an IPS when actions are not taken against the traffic patterns.
These tools can be placed “inline” or “Out of Line” (or out of band) to the network. Inline means that the traffic must pass through the device. An Out of Line installation has the network traffic being observed or evaluated through a mirrored port on a switch or a firewall. The mirrored port means that traffic passing through the switch to predefined physical ports on the switch is copied to the mirroring location. The Inline installation can (but not always) cause some latency or slow down in the network traffic. An out of line installation will cause no latency (unless your switch is old and cannot process the mirroring).
Each of the tools has its place within a network. An IPS system may be best used as a perimeter device and tuned down to only prevent or block those traffic patterns that are absolutely security concerns. An IDS on the other hand may be best utilized behind a firewall to show what traffic and traffic patterns have gone beyond the perimeter based security tools.