JT
JT Exams
Log inStart Free Trial
SecurityNetwork+

IDS and IPS for CompTIA Network+ N10-009

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are security controls that monitor network traffic for malicious activity. CompTIA Network+ N10-009 tests the difference between IDS and IPS, detection methods (signature-based vs anomaly-based), deployment modes (NIDS/HIDS), and false positive/negative concepts. These questions appear directly in the Security domain and tie into troubleshooting.

7 min
3 sections · 7 exam key points
1 practice questions

IDS vs IPS

IDS (Intrusion Detection System): monitors traffic passively and generates alerts when suspicious activity is detected. IDS does not block traffic — it only detects and alerts. Analogy: a security camera that records and alerts. Deployed out-of-band (connected to a SPAN port) — traffic does not flow through the IDS. If the IDS fails, traffic continues unaffected.

IPS (Intrusion Prevention System): monitors traffic inline (traffic flows through the IPS) and can actively block malicious traffic in real-time. If the IPS fails, traffic may be blocked (fail-closed) or allowed (fail-open) depending on configuration. IPS is a preventive control; IDS is a detective control. NGFWs typically include integrated IPS.

NIDS/NIPS (Network-based): monitors network traffic — positioned at key network locations (internet edge, between DMZ and internal). Sees all traffic flowing through the monitoring point. HIDS/HIPS (Host-based): runs on individual systems — monitors system calls, file access, and process behavior on that specific host. Complements NIDS/NIPS by catching threats that reach endpoints.

Detection Methods

Signature-based (misuse detection): compares traffic against a database of known attack signatures. Fast and accurate for known attacks. Cannot detect unknown (zero-day) attacks — no signature exists yet. Requires frequent signature updates. Similar to antivirus signature detection.

Anomaly-based (behavior-based): establishes a baseline of normal behavior and alerts when traffic deviates significantly. Can detect unknown attacks. Higher false positive rate — legitimate but unusual behavior triggers alerts. Requires a learning period to establish baseline.

Heuristic detection: rules-based analysis examining the behavior and characteristics of traffic/code rather than matching exact signatures. Between signature and anomaly-based. Common in modern security products.

False Positives and Negatives

False positive: the IDS/IPS incorrectly identifies legitimate traffic as malicious — generates an unnecessary alert or (for IPS) blocks legitimate traffic. High false positive rates cause alert fatigue and may block business-critical traffic. Signature tuning reduces false positives.

False negative: the IDS/IPS fails to detect actual malicious traffic — the attack succeeds without being flagged. Signature-based systems have high false negatives for zero-days. False negatives are more dangerous than false positives because attacks go undetected.

Key exam facts — Network+

  • IDS = passive monitoring, alerts only; IPS = inline, blocks malicious traffic
  • NIDS/NIPS = network traffic; HIDS/HIPS = host system behavior
  • Signature-based: fast, known attacks only; Anomaly-based: detects unknowns, higher false positives
  • False positive: legitimate traffic flagged as malicious; False negative: attack not detected
  • IDS deployed out-of-band (SPAN port); IPS deployed inline
  • IPS fail-open: traffic allowed on failure; fail-closed: traffic blocked on failure
  • Alert fatigue: too many false positives cause admins to ignore real alerts

Common exam traps

An IDS blocks malicious traffic

An IDS only detects and alerts — it does not block traffic. An IPS blocks malicious traffic inline. The key differentiator is passive detection (IDS) vs active prevention (IPS)

Signature-based IDS can detect all attacks

Signature-based detection only identifies attacks with known signatures. Zero-day attacks and novel variations have no signatures and will not be detected. Anomaly-based detection complements signature-based detection for unknown threats

Practice questions — IDS and IPS

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A security team wants to monitor network traffic for attacks without risking blocking legitimate traffic during an initial deployment. Which security control should be deployed?

A.IPS in inline mode
B.IDS in passive mode
C.Stateful firewall
D.Host-based IPS

Explanation: An IDS in passive mode monitors and alerts without blocking traffic — no risk of disrupting legitimate traffic during tuning. Once signatures and thresholds are calibrated to reduce false positives, the team can transition to an IPS for active prevention. An IPS inline risks blocking legitimate traffic before tuning. A stateful firewall doesn't provide intrusion detection.

Frequently asked questions — IDS and IPS

What is a honeypot and how does it relate to IDS?

A honeypot is a decoy system designed to attract and deceive attackers — it appears to be a legitimate, valuable target but is actually monitored and isolated. When an attacker interacts with a honeypot, every action is logged as high-confidence malicious activity (no legitimate user should ever touch it). Honeypots complement IDS by generating high-fidelity alerts and providing intelligence on attacker techniques.

Practice this topic

Network+practice questions

Test yourself on IDS and IPS

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Firewall Types

Network+

Security Concepts

Network+

Common Attacks

Network+

Honeypot and Deception

Network+