Intrusion Detection System vs Intrusion Prevention System.

So that's the difference. An IDS is passive, an IPS is reactive. denyhosts, the popular linux app is an IPS, because after it detects X number failed logins - it shuts the IP address out. Whereas snort is generally an IDS because it detects an anamoly and sends out alerts.

So my question is - do you have sysadmins in the office at all times, or on very close call? If so, you may want an IDS and a plan to react to attacks/intrusions. If you don't, you may want an IPS. Some people don't like the idea of IPS's because it's too 'skynet' - the system is acting on its own shutting down IPs and ports and so on. But some people don't like the idea of paying someone to be on call 24/7 also.

Another difference is that a IPS is in-line, so all traffic is passing through it. a IDS is typically working off of a port span, or replicated traffic from a switch.

I agree with Tom on the above statement, most people don't like IPS because of the "skynet" attitude. You could end up blocking legitimate traffic with a IPS. However, if you don't have the staff on-hand to react to threats detected by a IDS, then a IPS is beneficial. My company works with Alert Logic a lot, and they do IDS only, but have a SOC (security operations center) to react to the IDS. The question is do the staff that the SOC alerts know what to do with that information? Does the staff know how to block the IP or ports, etc?

In short, if you have a company with dedicated security admins, a IDS is a better choice

If your company has system administrators, then a IPS might be a better choice