What Is IPS (Intrusion Prevention System)?
Intrusion Prevention System (IPS) Definition
What is an intrusion prevention system (IPS)? IPS is a security tool or service that helps an organization identify malicious traffic and proactively blocks it from entering their network. Products using IPS technology can be deployed in-line to monitor incoming traffic and inspect that traffic for vulnerabilities and exploits. If it detects issues, an intrusion prevention system can take the appropriate action defined in the security polityand if detected then take appropriate action as defined in the security policy—such as blocking access, quarantining hosts, or preventing access to external websites that could lead to a breach.
How Intrusion Prevention Systems (IPS) Work
An IPS security service is typically deployed “in-line” where they sit in the direct communication path between the source and the destination, where it can analyze in real-time all the network traffic flow along that path and take automated preventive action. The IPS can be deployed anywhere in the network but their most common deployments locations are:
- Enterprise Edge, Perimeter
- Enterprise Data Center
An IPS can be deployed as a standalone IPS or the same capability can be turned on in the consolidated IPS function inside a next-generation firewall (NGFW). An IPS uses signatures which can be both vulnerability or exploit specific to identify malicious traffic. Typically, these employ signature-based detection or statistical anomaly-based detection to identify malicious activity.
- Signature-based detection uses uniquely identifiable signatures that are located in exploit code. When exploits are discovered, their signatures go into an increasingly expanding database. Signature-based detection for IPS involves either exploit-facing signatures, which identify the individual exploits themselves, or vulnerability-facing signatures, which identify the vulnerability in the system being targeted for attack. Vulnerability-facing signatures are important for identifying potential exploit variants that haven’t been previously observed, but they also increase the risk of false positive results (benign packets mislabeled as threats).
- Statistical anomaly-based detection randomly samples network traffic and then compares samples to performance level baselines. When samples are identified as being outside of the baseline, the IPS triggers an action to prevent potential attack.
Once the IPS identifies the malicious traffic that can be network exploitable it deploys what is known as a virtual patch for protection. Virtual patch, acts as a safety measure against threats that exploit known and unknown vulnerabilities. It works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability, thereby offering coverage against that vulnerability at the network level rather than the host level.
Types of Intrusion Prevention Systems (IPS)
There are four noteworthy types of intrusion prevention systems. Each type has its own unique defense specialty.
Network-based intrusion prevention system (NIPS) to
Typically, a network-based intrusion prevention system is placed at key network locations, where it monitors traffic and scans for cyberthreats.
Wireless intrusion prevention system (WIPS)
As you would expect, wireless intrusion prevention systems monitor Wi-Fi networks, acting as a gatekeeper and removing unauthorized devices.
Host-based intrusion prevention system (HIPS)
Installed on endpoints like PCs, host-based intrusion prevention systems monitor inbound and outbound traffic from that device only. HIPS works best in tandem with a NIPS and serves to block threats that have made it past the NIPS.
Network behavior analysis (NBA)
Not be confused with professional basketball, NBA is focused on network traffic to detect odd movement and flows that might be associated with distributed denial of service (DDoS) attacks.
Intrusion Prevention System (IPS) vs. Intrusion Detection System (IDS)
While intrusion detection systems (IDS) monitor the network and send alerts to network administrators about potential threats, intrusion prevention systems take more substantial actions to control access to the network, monitor intrusion data, and prevent attacks from developing.
IPS evolved from IDS. IDS technology uses the same concept of identifying traffic and some of the similar techniques with the major difference being that IPS are deployed “in-line” and IDS are deployed “off-line” or on tap where they still inspect a copy of the entire traffic or flow but cannot take any preventive action. IDS are deployed to only monitor and provide analytics and visibility into the threats on the network.