An intrusion detection system attempts to detect unauthorized and anomalous activity by monitoring packets traversing a given network. Intrusion prevention systems add to this with the ability to block or reject packets that match a particular signature or behavior. To make this effective, intrusion prevention systems sit in-line instead of using a network tap or port span. In the past this was a cause for concern due to the potential bottleneck an in-line IPS could cause resulting from high load or hardware/software failure. Recently, the increase in throughput of many IPS devices, high availability implementations, and device bypass has lowered this risk.
What are the differences between Host Intrusion Detection and Host Intrusion Prevention?
Host intrusion detection systems attempt to detect unauthorized and anomalous activity on a given system. Intrusion prevention gives the HIDS agent the ability to block or reject specific applications, behaviors, and changes to the local system configuration.
Ernst & Young