- Firewall - A device or application that analyzes packet headers and enforces policy based on protocol type, source address, destination address, source port, and/or destination port. Packets that do not match policy are rejected.
- Intrusion Detection System - A device or application that analyzes whole packets, both header, and payload, looking for known events. When a known event is detected a log, a message is generated detailing the event.
- Intrusion Prevention System - A device or application that analyzes whole packets, both header, and payload, looking for known events. When a known event is detected the packet is rejected.
The line is blurring somewhat as technological capacity increases, platforms are integrated, and the threat landscape shifts.
- Firewall - a traditional firewall is a rules-based engine that analyzes packet header on protocol type, source address, destination address, source port, and/or destination port. If the Packets are not matched with firewall rules, packets will be dropped. There is something called a Next-Generation Firewall (NGFW). This can make a single device act as both a traditional Firewall and IPS.
- Intrusion Detection System (IDS) - An IDS is designed to analyzes whole packets, both header, and payload, looking for known events. When a known event is detected in a log, the message is generated detailing the event. The IDS contains a database of known attack signatures and it compares the inbound traffic against to the database. If an attack is detected, then the IDS reports the attack. The main function of an IDS product is to warn you of suspicious activity taking place but not prevent them. The major flaw is that they produce a lot of false positives.
- Intrusion Prevention System (IPS)- The IPS sits between your firewall and the rest of your network. Because it can stop the suspected traffic from getting to the rest of the network. The IPS monitors the inbound packets and what they are really being used for before deciding to let the packets into the network. An IPS will inspect the content of the request and be able to drop, alert, or potentially clean a malicious network request based on that content. The determination of what is malicious is based either on behavior analysis or using signatures.
- A firewall is a rule-based engine, But IDS also uses its own huge database to detect intrusion. An IDS evaluates a suspected intrusion once it has taken place and warns to an administrator. An IDS also watches for attacks that originate from within a system. An IDS is not a replacement for a firewall or a good antivirus program. An IDS should be considered a tool to use in conjunction with your standard security products (like anti-virus and a firewall) to increase your system-specific or network-wide security. So, I hope we can’t replace an IDS device by a firewall.