An IPS is typically deployed “in-line” where they sit in the direct communication path between the source and the destination, where it can analyze in “real-time” all the network traffic flow along that path and take automated preventive action. The IPS can be deployed anywhere in the network but their most common deployments are:
- Enterprise Edge, Perimeter
- Enterprise Data Center
An IPS can be deployed as a best of breed, standalone IPS or the same capability can be turned on in the consolidated IPS function inside a next-generation firewall (NGFW). An IPS uses signatures which can be both vulnerability or exploit specific to identify malicious traffic, Typically, these are either signature-based detection or statistical anomaly-based detection to identify malicious activity.
- Signature-based detection uses uniquely identifiable signatures that are located in exploit code. When exploits are discovered, their signatures go into an increasingly expanding database. Signature-based detection for IPS involves either exploit-facing signatures, which identify the individual exploits themselves, or vulnerability-facing signatures, which identify the vulnerability in the system being targeted for attack. Vulnerability-facing signatures are important for identifying potential exploit variants that haven’t been previously observed, but they also increase the risk of false positive results (benign packets mislabeled as threats).
- Statistical anomaly-based detection randomly samples network traffic and then compares samples to performance level baselines. When samples are identified as being outside of the baseline, the IPS triggers an action to prevent potential attack.
Once IPS identifies the malicious traffic that can be network exploitable it deploys what is known as a virtual patch for protection. Virtual patch, acts as a safety measure against threats that exploit known and unknown vulnerabilities. Virtual patch works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability, thereby offering coverage against that vulnerability at the network level rather than the host level.
While IDS systems monitor the network and send alerts to network administrators about potential threats, IPS systems take more substantial actions to control access to the network, monitor intrusion data, and prevent attacks from developing.