An
IPS is deployed inline — actively blocking detected attacks by dropping malicious packets. Contrast with IDS (passive, only alerts). Both can be signature-based or anomaly-based.
IPS: inline, active blocking (like a firewall with deep inspection). IDS: out-of-band, passive alerting (no blocking, no performance impact). IPS must fail-closed (block all) or fail-open (pass all) if it fails — choose based on environment. False positives in IPS block legitimate traffic.