This is always a good start to the IDP portion of the interview because it gets immediately to the heart of the IDS/IDP debate. Network security hardware and software vendors have confused many network professionals with markets and submarkets of intrusion detection. Originally, there was just “intrusion detection.” The systems (also called sensors) were either network-based, also known as a network IDS (NIDS), or host-based, also known as a host IDS (HIDS). The early systems simply tapped into the network at switches with monitored/mirrored ports.
The term IDS is now considered a first-generation term. Today, many vendors distinguish detection from prevention. Detection means passive monitoring, whereas prevention means active monitoring. With the introduction of the term prevention came the introduction of new acronyms — NIPS (Network IPS) and HIPS (Host IPS). Vendors like to call detection reactive and prevention proactive. The IPS devices have the ability to detect as well as prevent attacks using a response mechanism—if in a tap/span configuration — or blocking mechanism — if using an inline configuration. IPS is more of a second-generation term. Many equate an IDS to a burglar alarm. Network sensors detect an intrusion much the same way a door or window sensor detects unwanted entry. The home sensors alert the alarm company or home siren to the intruder. An IPS is a way to prevent attacks from penetrating
the network. Some vendors and even NIST have gone so far as to use the acronym IDP (Intrusion Detection and Prevention) to include both the IDS and IPS functionality. Throughout this chapter, we continue to use IDP to represent both IDS and IPS systems.