IDS, IPS, and Network Monitoring
Firewalls decide what is allowed; intrusion detection and prevention systems watch what actually flows and flag or block what looks malicious. An IDS alerts, an IPS blocks inline, and both rely on either signatures (known-bad patterns) or anomalies (deviations from normal). This topic covers where to place them, the signature-versus-anomaly tradeoff, and why encrypted traffic and false positives make network detection harder than it sounds.
These sensors feed Priya's SOC in Chapter 10 — but only if they are tuned well enough that their alerts are worth reading.
IDS vs IPS
An IDS is a passive observer that raises alerts — safe, but reactive: by the time you see the alert, the traffic has already passed. An IPS sits inline and can drop malicious traffic in real time — active, but now a false positive blocks real users, and a failure of the device can break the network. The choice is detection latency against availability risk, and many teams run IPS only on high-confidence signatures and IDS on the noisier rules.
Signature vs Anomaly Detection
Signatures catch known attacks precisely but miss anything novel. Anomaly and behavioral detection can catch the unknown but drown in false positives without careful baselining of what normal looks like. Production systems blend both — signatures for the known threats, behavioral models for the deviations — because neither alone is sufficient.
Placement and the Encryption Blind Spot
Sensors at the perimeter, between zones, and on the host each see different things, and a network IDS is blind to what it cannot see — which increasingly means encrypted traffic. As TLS becomes universal, network inspection sees metadata (flow volumes, SNI, JA3/TLS fingerprints) but not payloads, which pushes detection toward endpoints (Chapter 7) and flow analysis. Place sensors to cover east-west traffic between zones, not just the perimeter, since post-foothold movement is where the real damage path opens.
The False-Positive Problem
An IDS that cries wolf gets muted, and a muted sensor is no sensor. Tuning to your environment and prioritizing high-fidelity alerts is the difference between a useful IDS and expensive shelfware. The measure of a detection system is not how many alerts it generates but how many of them a human can act on — which is exactly the theme Chapter 10 builds into detection engineering.
IDS — out-of-band, alert-only, zero availability risk; but the attack has already happened when you get the alert.
IPS — inline, blocks in real time; but a false positive drops legitimate traffic and the device sits in the critical path. Many run IPS on high-confidence signatures and IDS on the noisier ones.
- Deploying an IPS on noisy anomaly rules and taking down legitimate traffic, then loosening it into uselessness after the first outage.
- Signature-only detection that misses anything novel, or anomaly-only detection that is never baselined and just generates noise.
- Placing sensors where they cannot see the traffic that matters — all internal east-west traffic invisible — or ignoring that TLS hides payloads from network inspection.
- Letting alerts pile up unrouted and untuned until the whole system is ignored.
- Measuring the IDS by alert volume rather than by actionable, triaged detections.
- Use IPS inline only for high-confidence signatures; run the rest as IDS alerts to avoid blocking real users.
- Combine signatures with baselined behavioral detection, and tune relentlessly to keep signal high.
- Place sensors to cover perimeter and inter-zone traffic, and lean on endpoint detection and flow metadata where traffic is encrypted.
- Feed alerts into the SIEM (Chapter 10) with context so they are triageable.
- Measure detection quality — actionable alerts and true positives — not raw alert volume.
Knowledge Check
What is the central tradeoff between an IDS and an IPS?
- An IDS only alerts; an IPS blocks inline but can drop real users
- An IDS is encrypted while an IPS is plaintext
- An IDS works only at layer 7 while an IPS operates strictly at layer 3
- An IPS cannot use signatures, only anomalies
Why has network intrusion detection lost visibility over time?
- Ubiquitous TLS encryption hides payloads
- Attackers stopped using the network entirely
- Signatures were banned by modern protocols
- IDS devices became too fast to log anything
Why is a noisy, untuned IDS effectively no IDS at all?
- Constant false positives get all the alerts ignored
- It automatically disables itself after too many alerts
- Noisy IDSes cannot use signatures
- Extra alerts eventually slow the whole network to a halt
You got correct