Question

Intrusion detection systems have fundamental flaws in their designs and functionalities. Intrusion detection does not necessarily prevent intrusions. As more organizations encrypt traffic, it becomes increasingly difficult to track intrusions because IDSs have no capabilities to examine encrypted traffic and are, therefore, unable to recognize problems and create alerts. Engineers rely heavily on IDSs to fight hackers. If configured improperly, the IDS will generate false positive alerts, which can be disastrous to the organization. Too many alerts can cause security administrators to become complacent and overlook important events. Several studies have shown that detections of negative security events can take over six months.

In this discussion, you are going to look at the role of IDSs in protecting digital assets. Research a minimum of three industry publications (e.g., National Institute for Standards & Technology [NIST], Institute of Electrical and Electronic Engineers [IEEE], Internet Engineering Taskforce [IETF], etc.) on this topic. Address the differences and similarities between IDS and intrusion protection systems (IPS). Explain some of the difficulties associated with configuring and maintaining IDSs, given the changing pattern of traffic on networks. Considering these issues, explain why organizations rely heavily on IDSs, even though they do not prevent hackers from penetrating an infrastructure. Support your statements with evidence from your sources.

Your initial post should be a minimum of 250 words.

Answer 1

Difference between IDS and IPS

IDS are used for monitoring and detecting malicious packets or files in network while IPS act as a control system or protective software against malicious packets .

IDS on detecting malicious packets do not take action on their own while IPS can take action like accept or reject packet according to their predefined rules.

IDS need human intervention or some other software to see their results while IPS have database which gets updated regularly so they just need to have a good database to take any action.

Similarly between IPS and IDS

Both are capable of reading incoming packet to check for any threat which are already known or stored in their database.

There are lot of difficulties associated with IDS like for every new attack that happen has to be updated in database and rules has to be defined manually. Also rules has to be defined so that a known attack can be detected even it tries to bypass ids. Also IDS are not able to detect small packets containing little malicious attacks which combines at the server side so IDS has to be manually designed for these things.

But due to many limitations on IDS company mainly resides on IDS because it helps in discovering zero day attacks. They sometime also lure attacker to attack in their Honeypot so they can know attackers thinking and they can make their original system more protective.