Intrusion Prevention System (IPS)
What is an Intrusion Prevention System (IPS)?
An intrusion prevention system (IPS) identifies suspicious activities and detects or prevents them from attacking computer networks. IPS security technologies monitor for these activities, capture information about them, and report them to network administrators, as well as initiate preventative steps such as configuring other network security tools to prevent possible attacks, and adjusting corporate security policies to block employees or guests on the network from engaging in harmful behavior.
An IPS is an important part of protecting businesses, especially businesses that have many technologies and systems connected to networks.
How Intrusion Prevention Systems Work
An IPS is usually located behind a network firewall as another line of defense against malicious activity challenging a network. Originally, the tools were standalone devices, but as the technology has evolved, the functionality is increasingly integrated into next-generation firewalls and other tools. IPS solutions must be able to act quickly to prevent threats happening in near-real-time, but also efficiently so as not to degrade network performance.
The solutions operate “in line” meaning they sit in the direct communication path between a source and a destination, can analyze all network traffic flows along that path, and take automated actions on the information analyzed. Some of those actions include alerting network administrators, stopping traffic coming from certain source addresses, dropping dangerous packets, and adjusting connections.
Typically, the tools use either signature-based detection or statistical anomaly-based detection to identify malicious activity.
- Signature-based detection uses uniquely identifiable signatures that are located in exploit code. When exploits are discovered, their signatures go into an increasingly expanding database. Signature-based detection for IPS involves either exploit-facing signatures, which identify the individual exploits themselves, or vulnerability-facing signatures, which identify the vulnerability in the system being targeted for attack. Vulnerability-facing signatures are important for identifying potential exploit variants that haven’t been previously observed, but they also increase the risk of false positive results (benign packets mislabeled as threats).
- Statistical anomaly-based detection randomly samples network traffic and then compares samples to performance level baselines. When samples are identified as being outside of the baseline, the IPS triggers an action to prevent potential attack.
As its name implies, IPS security is used to detect or prevent network security attacks, common examples of which are Denial of Service (DoS) attacks, brute force attacks, and exploitation of vulnerabilities. When vulnerabilities are discovered in network technologies, the systems can also help prevent attacks while security patches are developed and applied.
IPS vs. IDS
IPS tools are different than intrusion detection systems (IDS), though both technologies help guard the corporate network, and both can examine network packets and compare them to databases of known security threats. The combination of both technologies is sometimes stated as IDPS (Intrusion Detection and Prevention), though the system is often referred to as simply IPS.
The main difference is that while IDS systems monitor the network and send alerts to network administrators about potential threats, IPS systems take more substantial actions to control access to the network, monitor intrusion data, and prevent attacks from developing.
Think of IDS as a monitoring solution, but IPS as a control solution that not only examines a network packet but also prevents its delivery based on its contents—proactively denying entry based on its knowledge of known security threats.
Both technologies help automate security tasks, enforce corporate security policies, and help maintain regulatory compliance.