IDS vs. IPS

I believe the majority of objections to the value of Snort stem from the fact that it's called an intrusion detection system (IDS). Looking closely at that label, we should assume that an IDS is a "system" that "detects" "intrusions." The ultimate IDS would be 100% accurate in its ability to perform that role. A simple question flows naturally from the perception that an IDS is supposed to detect intrusions: "If you can detect intrusions, why can't you prevent them?" At first glance this question makes sense. We should prevent activity that has been 100% identified as being an intrusion.

Upon hearing this, IDS salespeople rushed back to their engineers with requirements for an "IDS" that "prevented intrusions." Hence, the "intrusion prevention system" (IPS) was born.

The IDS is usually offline, meaning it listens to traffic on a network tap or switch SPAN port. The IPS is usually inline, meaning it directly sits on the path of production traffic as a bridged network element. The IDS is passive; it doesn't take action based on what it sees. The IPS is active; it permits or denies traffic based on what it sees. Both the IDS and IPS make judgments on the traffic they see using signatures, protocol inspection and other mechanisms.

Let's return to the question that gave birth to the IPS: "If you can detect it, why not prevent it?" It turns out that "I am willing to drop traffic"-type certainty is fairly difficult to achieve when inspecting network traffic. While it's easy to say you don't want to be hacked, converting that into actionable, programmatic logic is exceptionally difficult.

More Here