Intrusion Prevention System (IPS) vs Intrusion Detection System (IDS)

A firewall is often overlooked when thinking about your normal business operations, but that little box handles many critical processes, especially at the perimeter of your organization.

Unless you’re a network engineer you probably don’t get a chance to appreciate much of a firewalls functionality that allows traffic to flow safely. Of the many features of a firewall, a critically important role is the Intrusion Prevention System (IPS). 

What is an Intrusion Prevention System?

An Intrusion Prevention System (IPS) is a component of network security that is used to proactively identify potential threats or attacks and respond to them promptly. The IPS handles the process of deep-packet inspection for patterns and anomalies that may indicate an attack.

An IPS monitors network traffic and can immediately respond to malicious traffic while forwarding legitimate traffic to the recipient without delay.

How does an Intrusion Prevention System Work?

The IPS works by parsing data flows against a list of known vulnerabilities set in the firewall. Those vulnerabilities are classified through a Common Vulnerabilities and Exposures (CVE) system, which categorizes and details known threats in software. This process is known as signature-based detection.

IPS vs IDS vs Firewall

When discussing network traffic, three terms that repeatedly come up are Firewall, Intrusion Prevention System (IPS), and Intrusion Detection System (IDS). There are a few differences between the three regarding how traffic is analyzed.

  • An IDS is a passive system that logs events based on packets of traffic against know CVE’s with current network activity.
  • An IPS also logs but it works in real-time to perform actions as directed by the setup of the IPS rules. Most likely, this action is to drop known bad traffic that has been identified according to packet headers and payload. The IPS is a proactive denial as it blocks malicious traffic before it gets to your network.
  • The firewall itself analyzes traffic packet headers and then directs traffic based off rules set in the firewall, such as source address or destination address.

All three terms are referencing traffic that comes into the network from outside sources. However, sometimes traffic is monitored internally to a destination outside the network.

Advanced Threat Protection

Sophos, a provider of enterprise security software, utilizes a technology called Advanced Threat Protection (ATP) to stop malicious activity in its tracks. ATP monitors traffic heading out from your network. If this traffic is heading to a suspicious IP address, often associated with a command-and-control server, ATP will trigger an email alert to our Unified Defense Strategy Technicians (our managed service provider specialists) who will analyze the destination IP, host IP, and the consistency of this traffic. This information will determine if a machine is infected and needs to be taken off your network.

Much like malicious traffic identified by an IPS, malicious traffic identified by ATP is dropped by default.


Why choose a managed service provider to help you manage and protect your network traffic? To keep pace with the rapidly changing threat landscape. Our Perimeter Protect clients are continuously monitored and set up with a pre-defined list of over 3,000 IPS signatures against known threats. These signatures are updated four times an hour to ensure the firewall is protecting against the latest known threats. All new CVEs added to that database are then added to the categories selected during the firewall setup. This, of course is a small, but important part of good overall cybersecurity hygiene.