Explain IDS and IDP System, their differences and benefits with examples

Well, intrusion detection systems (IDS) are used to monitor computer and network activities and analyzing those events to look for any signs of malicious attacks towards your system. Primary purpose of IDS is to alert IT professionals and system administrators to potential system or network threats and weaknesses.

How it works ?
____________________________
* IDS monitors all inbound and outbound network activity and identify any suspicious patterns.
* It will identify probes, attacks, virus-worm outbreak, exploits and other vulnerabilities.
* It alerts admin via alerts, syslogs , paging etc.. depending upon the IDS product.
* Signature Based - IDS detect malicious activity by looking for known signatures that characterize different worms, viruses and other network attacks. eg. Snort has about 10K+ attack signatures against which it compares the network activity. Signature based IDS are more prone to false positives.
* Anomaly Based - IDS can also detect attacks by tracking general variances which differ from regular system activity. Here, the administrator has to set the normal (expected) state of the network traffic load.
* Network Based - Network based IDS systems (or NIDS) usually consist of sensors deployed at various locations in the network which then analyzes data packets entering and leaving that network. Generally, deploying NIDS is cheaper.
* Host Based - Host-based IDS systems (or HIDS) consist of software agents installed on individual computers within your network. These agents then analyze the traffic to and from the specific computer. HIDS systems can provide information such as (system file changes,CPU usage etc) which are not available via NIDS.

IPS = IDS + Ability to Block
_____________________________________
IDS informs of a potential attack, but IPS makes attempts to stop it. This provides admin capabilities similar to that of application layer firewall. IPS are also HIDS and/or NIDS based just like IDS.

IDS vs. IPS
____________________________
* Passive vs. Active System - IDS is a passive-monitoring system, since its main function is to warn you of suspicious activity taking place - not prevent them. Whereas, IPS is an reactive monitoring system; where it can responds to the suspicious activity by blocking the traffic by reprogramming the firewall or other means.
* False Positives (FP) - This is the biggest blocker in implementation of IPS ( as compared to IDS ). A false positive in IPS mode can block valid user from using the service, whereas in IDS mode it would have just notified the admin with details. Bottomline, IPS is not perfect and may block legitimate network traffic.
* Performance - IDS is passive, so it can deployed in offline mode with disrupting any traffic. Whereas, IPS are generally deployed inline and that can make it bottleneck in your network (depending upon the traffic). IPS are slower than IDS and in certain scenarios can cause drop in network performance and latency.
* Maturity - IDS solutions are more mature than IPS solutions out there in market.