Questions: Intrusion Detection and Prevention Systems

The critical difference between IDS and IPS is what happens on a false positive. An IDS monitors a copy of traffic and generates alerts — a false positive wastes analyst time but causes no operational harm. An IPS sits inline; when it misidentifies legitimate traffic as malicious, it actively drops or blocks that traffic, potentially halting business operations. This asymmetry means IPS systems require careful tuning before being placed in blocking mode, and operators often run IPS in 'detection only' mode first to characterize the false positive rate.

Firewalls operate at the network/transport layer, filtering by IP address, port, and protocol. They are blind to the content of permitted traffic. A SQL injection attack, a cross-site scripting payload, or malware download embedded in an HTTP request is invisible to a firewall that allows HTTP on port 80. IDS/IPS perform deep packet inspection, analyzing payload content and behavioral patterns to detect malicious activity within otherwise permitted sessions. Firewalls and IDS/IPS are complementary controls, not substitutes.

Answer: False

Anomaly-based detection has a critical weakness: it generates many false positives. Any legitimate but unusual activity — a backup job at an unexpected time, a software update causing a traffic spike, a new application deployment — can look anomalous against the learned baseline. Signature-based detection is highly accurate for known attack patterns (low false positives) but blind to new ones. Neither approach dominates the other; they address different threat classes. Production security systems deploy both, feeding alerts into a SIEM for correlation.

Answer: False

Encrypted traffic is opaque to NIDS payload inspection. TLS encrypts the application-layer content so that only the endpoints (client and server) can read it. A NIDS sees only ciphertext in the payload and cannot apply signature-based rules to it. NIDS can still analyze metadata — connection timing, volume, source/destination patterns — but payload signatures are ineffective against encrypted traffic. Host-based IDS (HIDS), running on the server, can inspect traffic after decryption at the application layer and is not subject to this limitation.

This tradeoff explains why organizations often deploy IDS first, tune the detection rules, and only switch to IPS blocking mode after validating that the false positive rate is acceptably low. The inline position converts detection errors into disruptions, so operational risk must be managed before enabling blocking.