An Intrusion Prevention system(IPS) is helps organizations in identifying malicious traffic and proactively blocks such traffic from entering their network. Products using IPS technology can be deployed in-line to monitor incoming traffic and inspect that traffic for vulnerabilities and exploits, and if detected then take appropriate action as defined in the security policy such as blocking access, quarantining hosts or block access to external websites that might result in a potential breach.
An IPS is typically deployed “in-line” where they sit in the direct communication path between the source and the destination, where it can analyze in “real-time” all the network traffic flow along that path and take automated preventive action. The IPS can be deployed anywhere in the network but their most common deployments are:
- Enterprise Edge, Perimeter
- Enterprise Data Center
An IPS can be deployed as a best of breed, standalone IPS or the same capability can be turned on in the consolidated IPS function inside a next-generation firewall(NGFW). An IPS uses signatures which can be both vulnerability or exploit specific to identify malicious traffic, Typically, these are either signature-based detection or statistical anomaly-based detection to identify malicious activity.
- Signature-based detection uses uniquely identifiable signatures that are located in exploit code. When exploits are discovered, their signatures go into an increasingly expanding database. Signature-based detection for IPS involves either exploit-facing signatures, which identify the individual exploits themselves, or vulnerability-facing signatures, which identify the vulnerability in the system being targeted for attack. Vulnerability-facing signatures are important for identifying potential exploit variants that haven’t been previously observed, but they also increase the risk of false positive results (benign packets mislabeled as threats).
- Statistical anomaly-based detection randomly samples network traffic and then compares samples to performance level baselines. When samples are identified as being outside of the baseline, the IPS triggers an action to prevent potential attack.
Once IPS identifies the malicious traffic that can be network exploitable it deploys what is known as a virtual patch for protection. Virtual patch, acts as a safety measure against threats that exploit known and unknown vulnerabilities. Virtual patch works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability, thereby offering coverage against that vulnerability at the network level rather than the host level.
IPS was the evolution of Intrusion Detection System(IDS). IDS technology uses the same concept of identifying traffic and some of the similar techniques with the major difference being that IPS are deployed “in-line” and IDS are deployed “off-line” or on tap where they still inspect a copy of the entire traffic or flow but cannot take any preventive action. IDS are deployed to only monitor and provide analytics and visibility into the threats on the network.
While IDS systems monitor the network and send alerts to network administrators about potential threats, IPS systems take more substantial actions to control access to the network, monitor intrusion data, and prevent attacks from developing.
Fortinet’s FortiGate network firewalls deliver a comprehensive IPS solution that can be deployed as a standalone IPS or as the consolidated IPS within the network firewall. Proven and validated by NSS Labs and other third party evaluation services, FortiGate IPS delivers high security effectiveness with unparalleled IPS throughput and is available in appliance, virtual machine and cloud based.