Intrusion Detection and Intrusion Prevention Systems, IDS and IPS respectively, are mature network level defenses deployed in thousands of computer networks worldwide. The basic difference between the two technologies lies in how they provide protection for network environments.
Intrusion Detection Systems, IDS, analyze network traffic and generate alerts when malicious activity is discovered. They are generally able to reset TCP connections by issuing specially crafted packets after an attack begins and some are even able to interface with firewall systems to re-write firewall rulesets on the-fly. The limitation of Intrusion Detection Systems is that they cannot preempt network attacks because IDS sensors are based on packet sniffing technologies that only watch network traffic as it passes by.
This document is in PDF format. To view it click here.