Which of the following best describes how an IPS is similar to an IDS? (Select the best answer.)
They both sit in the path of network traffic.
Neither sits in the path of network traffic.
They both prevent malicious traffic from infiltrating the network.
They can both use signatures to detect malicious traffic.
Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) devices are similar in that they can
both use signatures to detect malicious traffic. Patternmatching IDS and IPS devices use specific strings of text
called signatures to detect malicious traffic. The primary benefit of signaturebased detection methods is that the
number of false positives generated is typically low. However, signaturebased detection methods do not provide
adequate protection against new attacks. Although signatures can be added as new threats are found, there is
always a delay between the time a threat is released and the time a signature is developed to detect the threat.
IPS devices typically sit inline in the path of network traffic? however, IDS devices typically do not. Because
traffic flows through an IPS, an IPS can detect malicious traffic as it enters the IPS device and can prevent the
malicious traffic from infiltrating the network. An IPS can work in conjunction with a network firewall? however,
Cisco recommends deploying an IPS on the inside interface of the firewall in order to prevent the IPS from
wasting resources by analyzing traffic that will ultimately be blocked by the firewall. This enables the IPS to
efficiently analyze the traffic that the firewall permits onto the network, rather than processing every inbound
By contrast, an IDS device merely sniffs the network traffic by using a promiscuous network interface. Because
network traffic does not flow through an IDS device, the IDS device can detect malicious traffic but cannot
prevent it from infiltrating the network. When an IDS detects malicious traffic, it can alert other network devices
in the traffic path so that further traffic can be blocked. In addition, an IDS can be configured to send aTransmission Control Protocol (TCP) reset notification or an Internet Control Message Protocol (ICMP)
unreachable message to the source and destination addresses.
Protocolbehavior IDS and IPS devices use rules to detect protocol traffic that does not follow standard methods
of operation. The rules used by protocolbehavior devices are usually based on the Request for Comment (RFC)
documents that define each protocol. Although protocolbehavior devices can detect nonstandard traffic, there is
no way to know for sure whether the traffic is caused by a malicious user or by a poorly coded application.
Therefore, protocolbehavior devices have a higher rate of false positives.
Anomalydetection IDS and IPS devices detect abnormalities in network traffic behavior. To enable
anomalydetection devices to detect abnormalities in traffic, the devices must first take a baseline reading of
what normal network traffic patterns are like. Once the baseline is taken, an anomalydetection device will
compare future traffic against the baseline to detect abnormal traffic flows. Anomalydetection devices have a
higher false positive rate, but they are capable of detecting new attacks.
CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462 Cisco:
Cisco IPS Mitigation Capabilities