Systems that monitor for and respond to malicious network activity.
While firewalls are excellent at blocking known bad traffic based on rules, they may not catch more sophisticated attacks. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) provide a more advanced layer of security by actively analyzing network traffic for signs of an attack. An Intrusion Detection System (IDS) is a passive monitoring tool. It 'listens' to network traffic (often by receiving a copy of it from a switch) and analyzes it for suspicious patterns or known attack signatures. If a potential threat is detected, the IDS generates an alert, notifying a security administrator who can then investigate and take action. The IDS does not sit in the direct path of traffic, so it cannot block the attack itself, and a skilled attacker might be able to evade detection. An Intrusion Prevention System (IPS) is an active, inline device. It sits directly in the path of network traffic, like a firewall. An IPS performs the same analysis as an IDS, but when it detects a threat, it can take immediate action to block it. This could involve dropping the malicious packets, blocking traffic from the source IP address, or resetting the connection. Because it's inline, an IPS can prevent an attack from succeeding, but it also introduces a potential single point of failure and can, if misconfigured (a 'false positive'), block legitimate traffic. Both IDS and IPS can use signature-based detection (looking for known attack patterns) or anomaly-based detection (looking for deviations from a baseline of normal network behavior).