IDS|IPS
IDS and IPS are very similar and part of the same protection sphere, but have different responsibilities.
The Intrusion Detection System (IDS) is responsible for detecting malicious activities (intrusions) in the environment. This environment can be a host (machine, endpoint) or even the entire network, depending on the type of IDS and where it was installed. If something suspicious is detected, it only alerts for an administrator to analyze and take manual action if necessary.
On the other hand, the Intrusion Prevention System (IPS) acts very similarly in terms of monitoring with IDS, but already has conditions to act automatically on some malicious activities to try to block or mitigate the attack. IPS can use IDS alerts to act, but its main function is automatic prevention — not necessarily generating detailed alerts for human analysis. It doesn't always manage to act 100% alone, especially in new or unknown attacks (zero-day), and may require manual intervention or rule updates.
Examples of actions an IPS can take:
- Kill a malicious executable.
- Stop a suspicious service or process.
- Drop an anomalous network connection.
- Others.
Because it's an active solution, IPS can generate false positives, especially when detecting new connections or still unknown services.
HIDS/HIPS vs NIDS/NIPS
When an IDS/IPS is focused on protecting a specific machine (host), the acronyms used are:
- HIDS: Host-based Intrusion Detection System
- HIPS: Host-based Intrusion Prevention System
When the focus is to protect the traffic of an entire network, the acronyms are:
- NIDS: Network-based Intrusion Detection System
- NIPS: Network-based Intrusion Prevention System
Many corporate antiviruses on the market already integrate HIDS and HIPS functions, offering detection and response directly on the endpoint.
Examples of attacks detected by IDS/IPS:
- Vulnerability exploits (in outdated software or OS).
- Botnet activity (zombie machines).
- Unauthorized port scans.
- ARP Cache Poisoning attacks.
- IP conflict on the network.
- And many others.
IDS/IPS in EDR
Modern EDRs (Endpoint Detection and Response) typically bring functionalities reminiscent of HIDS/HIPS — such as behavior monitoring, blocking malicious processes, and detecting local vulnerability exploitations.
However, the difference is worth noting:
EDR is more advanced than traditional HIDS/HIPS, as it involves behavioral analysis, automated response, continuous telemetry collection, and integration with SIEM/SOAR.
HIDS/HIPS focuses on local threat detection and blocking, without (necessarily) having centralized response capability or view of the entire environment.
In other words, an EDR can have IDS/IPS as part of the solution, but delivers much more than a simple detection/prevention system.
Comparative Table
| Technology | Where it acts | Main action | Automation? | Use example |
|---|---|---|---|---|
| IDS | Host or Network | Detects and alerts suspicious activities | No (only alert) | Detect port scan on the network |
| IPS | Host or Network | Detects and blocks malicious activities | Yes (blocks automatically) | Drop malicious connection from external IP |
| HIDS | Host (machine/endpoint) | Detects and alerts anomalous behavior on the host | No (local alert) | Detect suspicious modification in system files |
| HIPS | Host (machine/endpoint) | Detects and blocks local threats | Yes (blocks processes or connections) | Prevent malware execution on endpoint |
| NIDS | Network | Detects attacks in network traffic | No (only alert) | Identify ARP spoofing attack on the network |
| NIPS | Network | Detects and blocks attacks on the network | Yes (blocks malicious traffic) | Block vulnerability exploit via network |
| EDR | Host (machine/endpoint) | Detects, responds, and investigates incidents (with telemetry and behavioral analysis) | Yes (automated and manual response) | Isolate infected endpoint, collect forensics, kill suspicious process |
- IDS/IPS are more "dumb" and direct sensors, typically without advanced behavioral analysis.
- HIDS/HIPS/NIDS/NIPS define the protection scope: host or network.
- EDR is the Swiss army knife of the modern endpoint — it combines detection, prevention, response, forensic analysis, and integration with SIEM/SOAR — but doesn't replace edge network IPS (NIPS), which is still necessary to protect the perimeter.
Market Solutions
IDS / IPS (Network and Host)
| Product | Type | Vendor | Observations |
|---|---|---|---|
| Palo Alto Networks NGFW | NIPS/IPS | Palo Alto | Next-generation firewall with embedded IPS |
| Cisco Firepower | NIPS/IPS | Cisco | Integrates with firewall, NGFW and network IPS |
| Fortinet FortiGate | NIPS/IPS | Fortinet | NGFW + IPS on the same appliance |
| Trend Micro TippingPoint | NIPS/IPS | Trend Micro | Dedicated IPS for large corporate networks |
| Check Point IPS | NIPS/IPS | Check Point | IPS embedded in firewall appliance |
| Snort | NIDS/IPS | Cisco | Open Source, widely used in firewalls and routers |
| Suricata | NIDS/IPS | OISF (Open Source) | Supports simultaneous detection and prevention |
| Zeek (ex-Bro) | NIDS (IDS) | Open Source | Excellent for traffic analysis and logs |
Almost every NGFW (Next Generation Firewall) already comes with embedded IPS (like Palo Alto, Fortigate, Cisco Firepower).
🖥️ HIDS / HIPS (Host)
| Product | Type | Vendor | Observations |
|---|---|---|---|
| Wazuh | HIDS | Open Source | OSSEC fork with dashboard and integrated SIEM |
| OSSEC | HIDS | Open Source | One of the most used on Linux and Windows; lightweight |
| Trend Micro Apex One | HIPS | Trend Micro | HIPS focused on corporate endpoint |
-
Modern EDRs (Check) typically bring embedded HIPS (e.g., CrowdStrike, SentinelOne, Defender). Most of the time we end up using a good EDR that already solves a lot of IPS|IDS for hosts and focus more on IPS|IDS for network (NIDS|NIPS).
-
For large corporate networks: Palo Alto NGFW, Fortigate, Cisco Firepower + EDR like Falcon or SentinelOne.
It's still that old story, in security, the best solutions are paid.