Do you have any questions?
+48 22 487 8636
Do you have any questions?
+48 22 487 8636
IDS/IPS systems: Why is a firewall alone not enough to protect your network?
In the network security architecture, the firewall has always played the role of a fundamental gatekeeper at the border. Its job can be compared to that of a guard at the gate to a protected facility, checking the guest list. The firewall analyzes the headers of network packets – the IP addresses of the sender and receiver, as well as port numbers – and, based on defined rules, decides whether traffic can enter or should be blocked. This is an absolutely essential first line of defense. But in today’s threat landscape, such control is far from sufficient.
Our guard at the gate, though diligent in checking invitations, has no idea what visitors bring in their suitcases. This is because attackers have learned to hide their malicious activities inside seemingly legitimate and permitted network communications. Malicious code, attempts to exploit vulnerabilities or viruses can be transmitted on standard open ports (e.g. 80 for the Web or 443 for HTTPS), freely passing the traditional firewall.
Why is the traditional firewall, while necessary, no longer sufficient network protection?
A traditional stateful firewall mainly operates on layers 3 and 4 of the OSI model (network and transport layers). Its decisions are based on simple criteria: source IP address, destination IP address, source port and destination port. It can block all traffic from unknown addresses or on untrusted ports, which is extremely important for basic network hygiene.
Its limitation, however, is that it does not analyze the content (payload) of transmitted packets. If a firewall rule allows traffic on port 80 (HTTP), it will let through any connection on that port, regardless of whether there is a legitimate website inside or an exploit trying to exploit a vulnerability in the web server. To a traditional firewall, both of these connections look the same.
Today’s attacks almost always use legitimate communication channels to smuggle their malicious activities. Attackers no longer try to push through closed ports – instead, they hide their exploits in web traffic, commands for the botnet in seemingly normal DNS queries, and malware in files downloaded from websites. To combat such threats, you need tools that can look deeper.
What is an Intrusion Detection System (IDS) and how does it work?
IDS (Intrusion Detection System), or Intrusion Detection System, is a security solution designed to passively monitor network traffic (or activity on a host) for signs of malicious activity or violations of security policies. The key word here is “passive. “
An IDS works like a surveillance camera connected to a network. It receives a copy of network traffic (usually from a SPAN port on a switch) and analyzes it in real time. It compares the observed activity with a database of known
IDS does not actively block traffic. It works “out-of-band,” meaning that the original network traffic flows unhindered to the target, and the IDS only analyzes a copy of it. It is therefore a pure detection tool. Its great advantage is that it does not introduce any latency into the network and, in the event of a failure, does not disrupt its operation. The disadvantage, on the other hand, is that it informs you of an attack that has already taken place (or is about to take place), giving you time to react, but not preventing it when it does.
What is an Intrusion Prevention System (IPS) and what is its key advantage over IDS?
IPS (Intrusion Prevention System), or Intrusion Prevention System, is a natural evolution of the IDS concept. It has all the same detection mechanisms as IDS, but adds one fundamental capability to them: active blocking (prevention).
Unlike IDS, IPS is not passively connected to the side of the network. It is placed “in-line” (in-line), which means that all network traffic must physically flow through it on its way to its destination. It acts as a checkpoint on the road, rather than a camera on the side of the road. When the IPS, analyzing the packet flowing through it, detects a match to the attack signature, it not only generates an alert, but can take immediate action to block the threat.
These activities may include:
- Malicious packet rejection (drop packet): The IPS simply does not let the malicious packet pass any further, effectively aborting the attack attempt.
- Block traffic from the source IP address: If multiple attack attempts come from a given IP address, the IPS can temporarily or permanently block it.
- TCP session termination: The IPS can send connection reset packets to both sides of the communication, closing the session in which the attack is being conducted.
The key advantage of an IPS over an IDS is therefore obvious: it prevents attacks in real time, instead of just reporting them. It provides an active shield, not just an early warning system.
| Comparison of Network Protection Mechanisms | |||
| Aspect | Traditional Firewall (Stateful) | IDS | IPS / NGFW system |
| Main Function | Access control. | Detection and alerting. | Prevention (blocking). |
| Method of Action | In-line (in-line). | Passive, out-of-band. | In-line (in-line). |
| Analysis Method | Packet header analysis (L3/L4 layer). | Deep packet inspection (DPI), content analysis (L7 layer). | Deep packet inspection (DPI), content analysis (L7 layer). |
| Threat Response | Passes or blocks based on IP/port rules. | Generates an alert. Does not block traffic. | Rejects malicious packet/session, generates alert. |
What is deep packet inspection (DPI) and why is it so important?
Deep Packet Inspection (DPI) is the technology that is the heart and brain of any IDS/IPS system. It is the ability to analyze not only the headers of a network packet (as a traditional firewall does), but also its content (payload), the actual data sent as part of the communication.
With DPI, the security system is able to reconstruct and understand what is happening at the application level (Layer 7 of the OSI model). It can “see” that inside traffic on port 80 is being sent not only plain HTML text, but also malicious JavaScript. It can distinguish between a legitimate database query and an attempted SQL Injection attack. Can identify in the downloaded file a piece of code characteristic of a known virus.
Without DPI, network security would be blind to the vast majority of today’s threats that hide inside the allowed traffic. It is this technology that allows IDS/IPS systems to make intelligent, context-based decisions instead of simple, binary “pass/block” controls based on addresses and ports.
What types of attacks do IDS/IPS systems most effectively detect and block?
IDS/IPS systems, with their deep packet inspection capabilities, are able to detect and block a wide range of attacks that are invisible to traditional firewalls.
- Exploiting known vulnerabilities (Exploits): This is the main task of IDS/IPS. The system has a signature database for thousands of known vulnerabilities in popular software (e.g., web servers, databases, operating systems). If it detects an attempt on the network to send a crafted packet designed to exploit one of these vulnerabilities, it will block it immediately.
- Attacks on web applications: These systems can identify characteristic patterns for popular attacks such as SQL Injection, Cross-Site Scripting (XSS) and Directory Traversal attempts.
- Malware: Many IPS systems have built-in antivirus engines that scan transmitted files on the fly for known viruses, Trojans or spyware.
- Network scanning and reconnaissance: IDS/IPS can detect anomalous behavior, such as port scanning or attempts to map network topology, which are often the first phase in preparation for an attack.
- Denial of Service (DoS) attacks: These systems can identify and block certain types of DoS attacks, which involve sending a large number of unusual or malformed packets.
How does IDS/IPS integrate with the firewall within the NGFW/UTM platform?
As technology evolved, the boundaries between firewall, IDS and IPS began to blur. Manufacturers realized that instead of forcing customers to deploy three separate devices, it was much more efficient to integrate these functions into a single, cohesive platform. Thus were born Next-Generation Firewalls (NGFW) and Unified Threat Management (UTM ) platforms.
A modern NGFW is essentially an advanced stateful firewall that has been enhanced with an integrated DPI-based IPS engine. This means that every connection that is allowed through based on access rules (IP/port) is then deeply inspected by the IPS engine for exploits, malware and other threats.
This integration brings huge benefits. First, it simplifies architecture and management. Instead of three different consoles, the administrator has one central point to manage all aspects of network security. Second, it allows the creation of much more granular and intelligent policies. An administrator can create a single, consistent rule that reads, “Allow HTTPS traffic from the internal network to the Internet, but enable IPS inspection and virus scanning for it, plus block access to the ‘gambling’ category.” This combination of access control, intrusion prevention and application control in a single appliance is the standard in modern network protection today.
How does nFlo help implement and manage an effective intrusion prevention strategy?
At nFlo, we see intrusion prevention as a fundamental part of a multi-layered defense strategy. Simply having a next-generation firewall is only the beginning. The true value of this technology is only unleashed when it is properly deployed, finely tuned and constantly monitored by experts.
Our services begin with an audit of the network architecture and selection of the appropriate technology. We analyze the current state of security, network traffic characteristics and the client’s risk profile to help select and design an NGFW/IPS solution that is optimally suited to the client’s needs. Then, our team of certified engineers conducts
About the author:
Justyna Kalbarczyk
Justyna is a versatile specialist with extensive experience in IT, security, business development, and project management. As a key member of the nFlo team, she plays a commercial role focused on building and maintaining client relationships and analyzing their technological and business needs.
In her work, Justyna adheres to the principles of professionalism, innovation, and customer-centricity. Her unique approach combines deep technical expertise with advanced interpersonal skills, enabling her to effectively manage complex projects such as security audits, penetration tests, and strategic IT consulting.
Justyna is particularly passionate about cybersecurity and IT infrastructure. She focuses on delivering comprehensive solutions that not only address clients' current needs but also prepare them for future technological challenges. Her specialization spans both technical aspects and strategic IT security management.
She actively contributes to the development of the IT industry by sharing her knowledge through articles and participation in educational projects. Justyna believes that the key to success in the dynamic world of technology lies in continuous skill enhancement and the ability to bridge the gap between business and IT through effective communication.