IDS vs IPS: Active Response Confusion in CISSP Mat...

JPMARTIN

Hello everyone,

I hope I’m posting this in the right place. I looked through the different sections, and since my question is quite technical, the Tech Talk forum seemed appropriate. Please let me know if it would be better suited elsewhere.

I’m currently preparing for the CISSP using multiple resources, including the official study guide by Mike Chapple. While studying Chapter 17 (Domain 7 – Security Operations), I came across a section discussing IDS and IPS.

The book clearly explains that an IDS can rely on both signature-based (knowledge-based) detection and behavior-based detection. So far, so good.

However, in the section specifically titled “IDS Response”, it mentions that an IDS can have:

A passive response (e.g., alerting/notification), and
An active response, where it may modify the environment (for example, updating firewall ACLs to block traffic from a malicious IP).

This suggests that an IDS is not strictly limited to passive behavior.

That said, I encountered a practice question (from the official practice tests by the same author) where the correct answer implied that an IDS is always passive, and that only an IPS provides active responses.

I understand the nuance often mentioned: when an IDS performs active responses, it is sometimes considered to be functioning as an IPS. I also understand the architectural distinction — an IPS is inline and can block traffic in real time, whereas an IDS is typically out-of-band (e.g., via a SPAN port), observing traffic rather than directly controlling it.

Still, from a technical standpoint, I’m struggling with the apparent contradiction:

The study guide states that an IDS can take active actions (like modifying firewall rules),
Yet exam-style questions seem to treat IDS as strictly passive.

So my questions are:

For CISSP exam purposes, should we always treat IDS as passive and IPS as active, even if that simplifies reality?
Is the distinction primarily about inline vs out-of-band architecture, rather than the actual capability to trigger changes in the environment?
Or is the idea that any “active response” effectively reclassifies the system as an IPS?

I’m trying to reconcile the theoretical explanation with the exam expectations, especially since both sources come from the same author.

Thanks in advance for your insights!

JP

dcontesti

Without actually seeing the material, it is a little difficult to know what the author may/may not have meant.

My understanding is that an IDS is indeed a passive monitoring tool that identifies potential threats and alerts administrators and IF integrated with a FIREWALL can send instructions to the Firewall to update its policies. The IDS is still passive and still alerting.

Others, I could be wrong? Also, let's ask the team at ISC2 their opinion. @CBMExamTeam your thoughts?

d

JPMARTIN

Thank you for your quick reply.

Unfortunately, I have read so many questions that I cannot trace it back ahah.

So despite the fact an IDS could definitely send instructions to a FW, it does not make him an active device because it is no in line with the traffic (which in this case, would be considered an IPS)?

I thought passive = alerting, active = take action like send instructions, even if it is not real time because on the SPAN port.

Thanks again,

JP

dcontesti

I found this table, hopefully, it helps.

Feature IDS (Passive) IPS (Active)

Primary Action	Detects and Alerts	Detects and Prevents
Placement	Out-of-band (Passive)	Inline (Active)
Response	Manual	Automated
Risk	Minimal impact on traffic	Potential for false positives
Goal	Visibility	Protection

JPMARTIN

It does! And the comprehensive view you just shared confort me, as I do have the same understanding.

Thank you!

IDS vs IPS: Active Response Confusion in CISSP Materials