At first sight, both the solutions seem quite similar; however, there is a clear difference in that one is a passive monitoring and detection system that limits itself to raising an alarm at an anomaly or signature match, and the other is an active prevention system that takes proactive action when detecting a malicious packet by dropping it.

Usually, a NIPS is inline (between the firewall and rest of the network) and takes proactive action based on the set of rules provided to it. In the case of a NIDS, the device/computer is usually not inline but may get mirrored traffic from a network tap or mirrored port.

The network overhead in the case of a NIPS is more than that of a NIDS.

Another issue with a NIDS is that by the time an intruder hits the system and the administrator is informed, the intruder has already infiltrated the system to a good extent, thereby making a simple situation extremely dire.

While stability is paramount in both systems, the consequences of a NIDS crash are a blind area in the network security during the downtime. However, in the case of a NIPS crash, the whole network may go down with serious consequences.

IDS can be used in active mode, and this tends to blur the difference between IPS and an active IDS. An active IDS can be configured to drop packets based on certain criteria or even redirect traffic via a network device.

These days, there is a tremendous overlap between firewalls, NIPS, and NIDS. In fact, for some time, manufacturers have been working to combine all these into a single product. A number of these combined Unified Threat Management (UTM) devices are now available in the markets.