If someone asked how they would get started with intrusion detection. The first thing you would need to know whether they wanted to just detect threats or detect and block. An IDS or intrusion detection system is the ability to monitor if an intrusion has happened. This is considered a passive type of system. An IPS or intrusion prevention system extends the IDS by allowing it to not only detect but block detected attacks (Palo Alto Networks, 2016). These systems although very closely related are very different and understanding the benefits will be the first way of getting closer to selecting a appliance.
Also knowing if you needed an appliance to sit inline or outside the direct line of communication to your network is also important. IDS sit out of the direct line of communication while IPS sit directly inline. This matters greatly due to how the IPS will detect based off of rules like a firewall in reverse. Enterprise firewalls allow specific packets and deny everything else. IPS will see a packet and look down a list of rules to deny and then finally allow a packet. An IDS will look at specific points in the network. You can compare the IDS to a protocol analyzer that returns excruciating amounts of detailed information about a network given the security engineer more granular visibility (Snyder, n.d.).
My recommendation would be to stay away from the hybrid appliances that combine the two concepts of IPS and firewall. Unless you’re only trying to protect a small set of computers on a network much like a small branch office. An IDS will allow you to have more visibility while the IPS gives more control overall.
Top 3 Free IDS Software Applications
Palo Alto Networks. (2016). Retrieved from https://www.paloaltonetworks.com/documentation/glossary/what-is-an-intrusion-detection-system-ids
Snyder, J.Retrieved from http://searchsecurity.techtarget.com/Do-you-need-an-IDS-or-IPS-or-both
Vacca, J. R. (2013). Computer and information security handbook. Amsterdam: Morgan Kaufmann Publishers is an imprint of Elsevier.