NIDS/NIPS

Passive device; detects intrusions and sets off an alert.

Actively prevents intrusions - you can set it to detect some types of things, and prevent others.

The NIPS just examines a copy of the traffic, it doesn't sit in the middle.

Goes along with passive monitoring, and sends out a TCP reset to close the session and not let it back in; but again, it's after the fact and it doesn't work with UDP, it's TCP only.

More common and effective, actually sits in the middle of the traffic flow.

To ID attacks, the IPS device looks for exact signatures of problems and prevents based on matching.

Commonly uses artificial intelligence and data mining to identify malicious network traffic.

To ID attacks, the IPS looks for strange behavior.

To ID attacks, the IPS reviews based on defined characteristics obtained through AI - very sophisticated method - relies on "known" or previously identified viruses.

What to let in, what to keep out - could be thousands of rules defined in the IPS - configure carefully or you'll get bombed with false positives and alerts.

Mistaken identity - it's really not a problem.

Malicious traffic was allowed - this is much more of a problem, obviously - antivirus should then catch it.