What Is Intrusion Prevention System? Definition and Types
Intrusion Prevention System Definition
What is an Intrustion Prevention System? An essential part of Intrusion Prevention System is the network security technology that constantly monitors network traffic to identify threats. Under the general meaning of IPS, IPS technology is also an intrusion detection prevention system (IDPS).
IPS as an Adaptable Safeguard Technology for System Security
Organizations choose IPS technologies over traditional reactive network security efforts because IPS proactively detects and prevents harm from malicious traffic. IPS protection identifies potential threats by monitoring network traffic in real time by using network behavior analysis.
If an unauthorized attacker gains network access, the IPS identifies the suspicious activity, records the IP address, and launches an automated response to the threat based on rules set up in advance by the network administrator.
IPS includes anti-virus/anti-malware software, firewall, anti-spoofing software, and network traffic monitoring. Enterprises use IPS to document threats, uncover problems with security policies, and block external or insider security violations.
How Intrusion Prevention Systems (IPS) Work?
An IPS security service is typically deployed “in-line” where they sit in the direct communication path between the source and the destination, where it can analyze in real-time all the network traffic flow along that path and take automated preventive action. The IPS can be deployed anywhere in the network but their most common deployments locations are:
- Enterprise Edge, Perimeter
- Enterprise Data Center
An IPS can be deployed as a standalone IPS or the same capability can be turned on in the consolidated IPS function inside a next-generation firewall (NGFW). An IPS uses signatures which can be both vulnerability or exploit specific to identify malicious traffic. Typically, these employ signature-based detection or statistical anomaly-based detection to identify malicious activity.
- Signature-based Detection: It uses uniquely identifiable signatures that are located in exploit code. When exploits are discovered, their signatures go into an increasingly expanding database. Signature-based detection for IPS involves either exploit-facing signatures, which identify the individual exploits themselves, or vulnerability-facing signatures, which identify the vulnerability in the system being targeted for attack. Vulnerability-facing signatures are important for identifying potential exploit variants that haven’t been previously observed, but they also increase the risk of false positive results (benign packets mislabeled as threats).
- Statistical Anomaly-based Detection: This randomly samples network traffic and compares samples to performance level baselines. When samples are identified as being outside the baseline, the IPS triggers an action to prevent a potential attack.
Once the IPS identifies the malicious traffic that can be network exploitable it deploys what is known as a virtual patch for protection. Virtual patch, acts as a safety measure against threats that exploit known and unknown vulnerabilities. It works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability, thereby offering coverage against that vulnerability at the network level rather than the host level.
Potential Attacks Detected and Prevented By IPS
An IPS security solution needs to handle various types of attacks, such as:
- Address Resolution Protocol (ARP) Spoofing: This attack re-directs traffic from a legitimate system to the attacker. Fake ARP messages sent by an attacker create a link between the attacker’s MAC address and the IP address of an attacked system.
- Buffer Overflow: This attack uses vulnerabilities in the buffer overflow to overwrite memory and corrupt the execution of an application.
- Distributed Denial of Service (DDoS): A DDoS attack is a massive flood of traffic from distributed computers meant to overwhelm a system making it unavailable for legitimate requests.
- IP Fragmentation: This attack exploits datagram fragmentation mechanisms confusing the targeted system about how to reassemble TCP/UDP datagrams.
- Operating System (OS) Fingerprinting: These attacks exploit vulnerabilities in the OS.
- Ping of Death: Using a ping command, an attacker sends oversized or malformed packets that crash a system.
- Port Scanning: This is a port attack, scanning for an open, unprotected port to exploit.
- Server Message Block (SMB) Probes: This is a capture of SMB protocol authentication requests to relay them to the attacker’s host.
- Smurf: This is a DDoS attack using Internet Control Message Protocol (ICMP) packets to overwhelm a system.
- Secure Sockets Layer (SSL) Evasion: This exploits SSL and Transport Layer Security (TLS) encryption that hides malicious content to avoid detection and get past network security.
- SYN Flood: Under this attack, a considerable volume of SYN (synchronize) packets sent as connection requests overwhelm a server or firewall.
Types of Intrusion Prevention Systems (IPS)
There are four noteworthy types of intrusion prevention systems. Each type has its own unique defense specialty.
1. Network-based intrusion prevention system (NIPS)
Typically, a network-based intrusion prevention system is placed at key network locations, where it monitors traffic and scans for cyberthreats.
2. Wireless intrusion prevention system (WIPS)
As you would expect, wireless intrusion prevention systems monitor Wi-Fi networks, acting as a gatekeeper and removing unauthorized devices.
3. Host-based intrusion prevention system (HIPS)
Installed on endpoints like PCs, host-based intrusion prevention systems monitor inbound and outbound traffic from that device only. HIPS works best in tandem with a NIPS and serves to block threats that have made it past the NIPS.
4. Network behavior analysis (NBA)
Not be confused with professional basketball, NBA is focused on network traffic to detect odd movement and flows that might be associated with distributed denial of service (DDoS) attacks.
Intrusion Prevention System (IPS) vs. Intrusion Detection System (IDS)
While intrusion detection systems (IDS) monitor the network and send alerts to network administrators about potential threats, intrusion prevention systems take more substantial actions to control access to the network, monitor intrusion data, and prevent attacks from developing.
IPS evolved from IDS. IDS technology uses the same concept of identifying traffic and some of the similar techniques with the major difference being that IPS are deployed “in-line” and IDS are deployed “off-line” or on tap where they still inspect a copy of the entire traffic or flow but cannot take any preventive action. IDS are deployed to only monitor and provide analytics and visibility into the threats on the network.
Top Trends in the IPS Market
Historically, IPS only reacted to cyber breaches, but this reactive stance is no longer satisfactory. IPS is now part of full network security suites, including threat monitoring, firewalls, intrusion detection, anti-virus, anti-malware, ransomware prevention, spam detection, and security analytics.
Recent trends in IPS include using AI to automate the detection process. The future of IPS technology extends network perimeter security with a multi-layered defense. Cloud IPS services perform this security function using extended detection, response, and endpoint protection.