Intrusion detection systems (IDSs) generally operate in one of two modes. In “promiscuous” mode, the IDS monitors incoming network traffic to determine whether a particular pattern characteristic of an intrusion can be observed. In “in-line” mode, network traffic is scanned by the IDS to determine whether it contains a hostile signature. If a hostile signature is detected, the IDS prevents the network from receiving the traffic.
In at least some implementations of the in-line mode, packets travel from a network interface card (NIC) to a processing CPU over a relatively slow bus. A packet then travels back to the NIC after it has been determined whether the packet poses a security risk. This introduces significant overhead and performance limitations and provides for multiple points of failure.