Problem solve Get help with specific problems with your technologies, process and projects.

Using a firewall vs. an IDS

In general, when would one consider using an intrusion-detection system rather than a firewall in the overall network security design?

I don't think it really is a question of one or the other, as they serve different purposes. First of all, the intrusion-detection systems typically are passive systems that simply detect problems and perhaps alert someone. They do not block any traffic, or take active measures to stop an attack. A properly configured firewall can allow only certain types of traffic to pass, thus protecting the internal network from any number of malicious activities.

This is not to say that an IDS is not useful. Many IDS can correlate events over time and alert someone of an attack in progress. Firewalls tend to act on each packet without respect to what has happened previously. (This is an over simplification, as many firewalls can make decisions on what to let in based on what has gone out. For example, telnet into a secure network may not be permitted, but if the telnet was initiated from within, then the incoming part of the connection will be allowed.) The point is that an IDS and firewall serve different purposes, and I wouldn't want to see it as a choice between one or the other. However, if you can have only one, I would choose a firewall, as it has a chance of actually stopping an attack, whereas an IDS will only detect and alert.

For more information on this topic, visit these other SearchSecurity.com resources:
  • Guest Commentary: IDS and IPS: Information security technology working together
  • Network Security Tip: Choose the right firewall topology
  • On-demand webcast: Application-layer firewalling: Raise your perimeter IQ
  • This was last published in July 2004

    Dig Deeper on Information security policies, procedures and guidelines