IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks.
IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. IDS logs provide security teams detailed records of attacks including the type, source, destination and port(s) used that provide an overall attack signature. An IDS examines mirrored data packets from different points within the network and can only detect an attack, but does not take action on its own. The goal is to correctly identify malicious traffic before it can proceed further into the network.
Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other points inside the network or on individual servers. An IPS actively accepts and rejects a packet based on a ruleset. IPS usually works by dropping packets, resetting network connections and blacklisting specific IP addresses or ranges. IPS logs provide the same set of attack signature data, but also may include a threat analysis of bad network packets and detection of lateral movement. This data can also detect command and control traffic, DDoS traffic, and malicious or unknown domain traffic.
In the Common Information Model, intrusion detection and prevention data is typically mapped to the Intrusion Detection data model.