Network level and Host Level IDS-Intrusion Detection Systems or IPS Intrusion Detection and Prevention Systems are a very powerful way to protect your network. Many Level 7/Next generation/Application Level Firewalls such as Palo Alto, Fortinet, Checkpoint can provide deep packets inspection, analyses session level traffic, filter on applications and work as an IPS/IDS as well.

An IDS and IPS looks at network traffic and irregularities. They can be signature based meaning they can identify known attack signatures already in the wild or heuristic/behavioral based. The behavioral based devices provide a great many false positives while the signature based are almost 100% accurate.

If an IPS can block the traffic while an IDS simply alert on potentially malicious activity why not just implement an IPS and both detect and block traffic like a firewall? The reason is that an IPS in order to work effectively must be inline and if it inspecting traffic deeply this could cause either 2 things or a combination of them, slow traffic meaning unhappy users and/or the need for a faster pipe increasing costs to the business. Also an IPS especially if it is heuristic based can block legitimate traffic as well, this is not good.

An IDS can used a spanned port on a switch and requires less overhead, also it will not block legitimate or any traffic for that matter. If you have a small to midsized organization and can aggressively follow up on the alerts from the IDS this may be a good option.


Either and IDS or IPS may work depending on your environment and should be an important part of any security program. Most major vendors have good options, the one you choose will depend on your budget and the functionality that you seek.