Network Security from Basics to Practice Part 4: IDS/IPS Intrusion Detection and Prevention Systems

Security Eyes Beyond the Firewall

2026-01-22 IT/Technology

Introduction: Security Eyes Beyond the Firewall

If the firewall we examined in Part 3 acts as the network's 'gatekeeper', then IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) serve as the network's 'surveillance cameras' and 'security guards'. The core function of IDS/IPS is to detect and respond to malicious activity even within traffic that the firewall has allowed.

Today's cyber attacks are becoming increasingly sophisticated. Simply blocking ports is insufficient to prevent web application attacks, zero-day vulnerability exploitation, and APT (Advanced Persistent Threats). In this Part 4, we will explore IDS/IPS concepts, detection methods, and hands-on installation and configuration of representative open-source solutions Snort and Suricata.

1. IDS vs IPS: Understanding the Differences

1.1 IDS (Intrusion Detection System)

IDS is a system that monitors network traffic or system activity to detect suspicious activity or policy violations and generates alerts. IDS operates passively, analyzing copies of traffic without blocking it.

IDS Operation Method:
┌─────────┐     ┌─────────┐     ┌─────────┐
│ Internet│────▶│ Switch  │────▶│ Server  │
└─────────┘     └────┬────┘     └─────────┘
                     │ (Mirroring/SPAN)
                     ▼
               ┌─────────┐
               │   IDS   │ → Detection → Alert Generated
               └─────────┘

Characteristics of IDS:

Analyzes traffic copies (Out-of-Band)
Only generates alerts after detection, does not block directly
No impact on network performance
No service impact even with false positives

1.2 IPS (Intrusion Prevention System)

IPS adds real-time blocking capability to the IDS detection function. Deployed inline on the traffic path, it can immediately block malicious traffic.

IPS Operation Method:
┌─────────┐     ┌─────────┐     ┌─────────┐
│ Internet│────▶│   IPS   │────▶│ Server  │
└─────────┘     └─────────┘     └─────────┘
                     │
                Detection → Block OR Allow

Characteristics of IPS:

Deployed directly on traffic path (Inline)
Can block malicious traffic immediately upon detection
May introduce latency
Risk of blocking legitimate services on false positives

1.3 IDS and IPS Comparison

Category	IDS	IPS
Deployment Method	Out-of-Band (Mirroring)	Inline (Serial Connection)
Response Method	Detection and Alert	Detection and Blocking
Network Impact	None	Potential Latency
False Positive Impact	Alert Only	Risk of Blocking Legitimate Traffic
On Failure	Monitoring Stops	Network Outage (without bypass)
Use Case	Monitoring, Analysis	Real-time Threat Blocking

Practical Tip: Many organizations initially operate in IDS mode to tune detection rules, then switch to IPS mode once stabilized.

2. Detection Methods

2.1 Signature-based Detection

A method that compares traffic against known attack patterns (signatures). Similar to pattern matching in antivirus software.

Operating Principle:

Packet → Compare with Signature DB → Alert/Block on Match

Signature Examples:
- SQL Injection: "' OR '1'='1"
- XSS Attack: "