Basics
An IDS is a technical detective control.
An IPS is a technical preventative control.
An anti-virus program is a technical preventative control.
Associating these three control types to an IDS, IPS, and anti-virus will take you far in remembering the basic concept for the exam.
Preventative Control: Spans administrative, technical, and physical controls to stop threats and risk to a system before it occurs. An IPS and an anti-virus program are preventative controls because they prevent unauthorized access or modification to the network or host.
The concept of preventative control is that they are supposed to stop a threat from exploiting a risk, before any damage is done.
Detective Control: A security control that is used after an incident has occurred. It is not meant to prevent attacks, it is meant to investigate incidents after they have occurred. Real world examples of detective controls include CCTV, firewall logs, job rotation, guest sign-in books and actual police detectives.
IDS and IPS
An IDS and IPS can be both software or physical devices.
They both have a database of known malicious signatures which are perpetually being updated. An IPS/IDS compares these up-to-date signatures to that of the traffic coming into the network.
This is an example of a physical IPS. This particular device is made by IBM - a GX4004 IPS.
An IPS uses a signature-based database to prevent malicious attacks from coming into the network. If an actual malicious attack had made it past the firewall for example, an IPS may be the last line of defense before it reaches the organization's internal network.
In the graphic below, the IPS is built into the firewall and is inline with the incoming traffic. In this case, the firewall is a Checkpoint firewall, and the IPS is software built into the firewall. Either way, traffic will first hit the firewall, then get passed to the IPS for further inspection.
When an IPS is already built into the firewall and just needs to be activated via a license key, that is a type of software IPS. It is not an actual hardware device.
An IDS on the other hand, does not prevent anything. It is only used to collect logs which are then examined later. The keyword being "later", as in, after traffic has hit the IDS, and has moved onto the internal network.
Exam Tip: An IPS is inline, meaning it sits directly in front or behind a firewall or router and traffic passes through it. In the image above, an IDS sits off to the side of the network collecting logs. It does not have traffic pass through it.
So why get an IDS over an IPS? Why wouldn't we want to prevent attacks all the time?
It depends on the needs and security policies of the company. In a small organization without a lot of network traffic, an IDS can be configured to send alerts to the security administrator in case of an attack that is happening. The organization would only want to be notified of any incidents, but not really have the desire to do any kind of prevention.
Why not have a prevention device instead of just a detecting device?
IPS devices are more expensive
An IPS that is misconfigured can potentially block or prevent legitimate traffic to the network, which can cause disruptions to the organization.
For example, a new IPS can start blocking 443 traffic
A company might decide they would rather allow everything in, instead of taking the chance of an IPS blocking something legitimate and impacting their users
Anti-Virus
An anti-virus program is completely different from an IDS or IPS.
Anti-virus programs don't scan networks, because anti-virus programs don't scan packets, they scan files or objects.
An anti-virus program is also a PROGRAM. It's not a piece of hardware like an IPS or IDS. It's software, it's an application. I've never heard of a hardware based anti-virus program. Let me know if there is one!
Anti-virus programs scan FILES.
IDS/IPS devices and software scan network PACKETS, network traffic.
They do not sit inline or off to the side of a network, they are installed on a device just like any other piece of software.
IDS and IPS are usually network devices that inspect network packets.
While an anti-virus program is a piece of software that inspects malicious files on a host device.
For the most part, both use the concept of signature-based databases.
An IDS/IPS is not really comparable to an anti-virus program though, so the title of this blog post is a little misleading. They serve to perform different functions.
Also, think of an IPS/IDS as a network perimeter protection.
While an anti-virus program is for endpoint or host protection.
Thanks for reading.