Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) should be an important part of any security services you use when running a secure and mission critical site. There is a subtle but important difference between the two different systems which can dramatically affect your choice in which one to use. In our examples we will discuss the widely used SNORT open source application which is capable of both methods.

With an IDS, your system will detect any suspicious internet traffic going to your site/servers. The software can run on its own machine either in front of your web server, beside your web server on the network or be installed on the same machine. If you have a small number of sites this can be very effective as it will report all traffic that could be suspicious and allow you investigate further and if needs be, plug any security gaps within your code or server software. The main disadvantage is that an IDS will not actually stop an attack from happening so in some instances, by the time you have checked the reports and repaired the problem, the damage has already been done.

Setting up an IPS is a little more intrusive. You need to add it in front of the server on its own separate machine for it to be fully effective (usually as a network bridge). This will then block and report any traffic which looks to be dangerous and prevent it reaching the server. This is an excellent way to secure your server and web site(s) from attack, however it can prevent genuine sites working if you receive a “false positive”. It also adds a point of failure to your system so that if it crashes or needs to restart, then it can take down your websites with it. CWCS would always recommend this method despite the drawbacks though as it offers a much more rounded and secure option.