IDS vs. Firewall, what's the difference?

[drs10s]

It seems all Firewall programs are designed to block all outbound/inbound traffic at gateway and as such like like a dumb program. In contrast they aren't intuitive like Intrusion Detecion Systems. Many companies claim that IDS technology acts like a firewall but critics say it's inferior and doesn't work, who's right here" And what does it all mean? Someone please explain the differences in these 2 technologies, and why one is superior?

Is (IDS) technology truely inferior as a firewall technology, and if so, then what is it good for? For a HomePC user which is better, and why is it impossible to use both at same time? Many reports and reviews of products by software mfg. warn not to use them together? Also, antivirus programs like McAfee (in earlier VScan 5.0 'read' notes) warn it about AV being incompatibility with sypway, (but you need both)?

So, what is the source of 'incompatible' issues between IDS and Firewall, and AV and Spyware programs? There shouldn't be any if they are detecting and protecting PC's in totally differnt ways (as all the mfg. reports and reviews claim)? Can someone please explain all this mess, and thanks!

 

[Salem]

Does this previous thread help?
thread83-619710

> IDS technology acts like a firewall
It can't - Detection merely warns you that something has happened which may be suspicious. It doesn't actually prevent anything from happening.

> Someone please explain the differences in these 2 technologies, and why one is superior?
Neither is superior since they perform different tasks
Firewall = Bouncer on the door
IDS = In-store detective
Having either is preferable to none at all, but having both is better. Ideally, you use the IDS output to tune the firewall rules - say a particular domain is performing a lot of scans of your PC, you can use this to update the firewall.


--

http://www.catb.org/~esr/faqs/smart-questions.html

 

[pansophic]

I don't know where that information came from, but IDS and firewalls are RECOMMENDED to be used together.

A firewall performs inspection of the packet headers. If a packet type is not allowed (invalid destination port), it is dropped or RST. Non-home use firewalls use a stateful inspection, which means that they maintain a table of all of the currently established sessions, so if someone sends an acceptable packet, like SRC port 80, the firewall will still reject it.

IDSs have historically been installed as a "tap" to the circuit, and they passively identify any suspect acceptable traffic (like a buffer overflow targeting your web server) and notify the Admin. Today, some IDSs are recommending that they be installed in series with the firewall so that they can "trap" these allowed but dangerous packets.

The reason that they are complimentary devices is that one protects against invalid connections, while the other protects against hazardous, valid connections. Both can be implemented in the same box if you have low traffic requirements, but many medium and all large businesses find that the performance of their Internet connection suffers if both applications run on the same platform. And many manufacturers require different configurations for their firewalls and IDSs, so you need to have separate boxes.

At home I run a single linux box with firewall and Snort IDS in the same computer, but I'm not trying to push a 10 Mb/s Internet connection through it, just a T-1.


pansophic