Skip to content Skip to navigation Skip to footer

What Is Intrusion Prevention System? Definition and Types

Intrusion Prevention System Definition

What is an Intrustion Prevention System? An essential part of Intrusion Prevention System is the network security technology that constantly monitors network traffic to identify threats. Under the general meaning of IPS, IPS technology is also an intrusion detection prevention system (IDPS).

IPS as an Adaptable Safeguard Technology for System Security

Organizations choose IPS technologies over traditional reactive network security efforts because IPS proactively detects and prevents harm from malicious traffic. IPS protection identifies potential threats by monitoring network traffic in real time by using network behavior analysis.

If an unauthorized attacker gains network access, the IPS identifies the suspicious activity, records the IP address, and launches an automated response to the threat based on rules set up in advance by the network administrator.

IPS includes anti-virus/anti-malware software, firewall, anti-spoofing software, and network traffic monitoring. Enterprises use IPS to document threats, uncover problems with security policies, and block external or insider security violations.

How Intrusion Prevention Systems (IPS) Work?

An IPS security service is typically deployed “in-line” where they sit in the direct communication path between the source and the destination, where it can analyze in real-time all the network traffic flow along that path and take automated preventive action. The IPS can be deployed anywhere in the network but their most common deployments locations are:

  • Enterprise Edge, Perimeter
  • Enterprise Data Center

An IPS can be deployed as a standalone IPS or the same capability can be turned on in the consolidated IPS function inside a next-generation firewall (NGFW). An IPS uses signatures which can be both vulnerability or exploit specific to identify malicious traffic.  Typically, these  employ signature-based detection or statistical anomaly-based detection to identify malicious activity. 

  1. Signature-based Detection: It uses uniquely identifiable signatures that are located in exploit code. When exploits are discovered, their signatures go into an increasingly expanding database. Signature-based detection for IPS involves either exploit-facing signatures, which identify the individual exploits themselves, or vulnerability-facing signatures, which identify the vulnerability in the system being targeted for attack. Vulnerability-facing signatures are important for identifying potential exploit variants that haven’t been previously observed, but they also increase the risk of false positive results (benign packets mislabeled as threats).
  2. Statistical Anomaly-based Detection: This randomly samples network traffic and compares samples to performance level baselines. When samples are identified as being outside the baseline, the IPS triggers an action to prevent a potential attack.

Once the IPS identifies the malicious traffic that can be network exploitable it deploys what is known as a virtual patch for protection. Virtual patch, acts as a safety measure against threats that exploit known and unknown vulnerabilities. It works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability, thereby offering coverage against that vulnerability at the network level rather than the host level.

Potential Attacks Detected and Prevented By IPS

An IPS security solution needs to handle various types of attacks, such as:

  • Address Resolution Protocol (ARP) Spoofing: This attack re-directs traffic from a legitimate system to the attacker. Fake ARP messages sent by an attacker create a link between the attacker’s MAC address and the IP address of an attacked system.
  • Buffer Overflow: This attack uses vulnerabilities in the buffer overflow to overwrite memory and corrupt the execution of an application.
  • Distributed Denial of Service (DDoS): A DDoS attack is a massive flood of traffic from distributed computers meant to overwhelm a system making it unavailable for legitimate requests.
  • IP Fragmentation: This attack exploits datagram fragmentation mechanisms confusing the targeted system about how to reassemble TCP/UDP datagrams.
  • Operating System (OS) Fingerprinting: These attacks exploit vulnerabilities in the OS.
  • Ping of Death: Using a ping command, an attacker sends oversized or malformed packets that crash a system.
  • Port Scanning: This is a port attack, scanning for an open, unprotected port to exploit.
  • Server Message Block (SMB) Probes: This is a capture of SMB protocol authentication requests to relay them to the attacker’s host.
  • Smurf: This is a DDoS attack using Internet Control Message Protocol (ICMP) packets to overwhelm a system.
  • Secure Sockets Layer (SSL) Evasion: This exploits SSL and Transport Layer Security (TLS) encryption that hides malicious content to avoid detection and get past network security.
  • SYN Flood: Under this attack, a considerable volume of SYN (synchronize) packets sent as connection requests overwhelm a server or firewall.

Types of Intrusion Prevention Systems (IPS)

There are four noteworthy types of intrusion prevention systems. Each type has its own unique defense specialty.

1. Network-based intrusion prevention system (NIPS)

Typically, a network-based intrusion prevention system is placed at key network locations, where it monitors traffic and scans for cyberthreats.

2. Wireless intrusion prevention system (WIPS)

As you would expect, wireless intrusion prevention systems monitor Wi-Fi networks, acting as a gatekeeper and removing unauthorized devices.

3. Host-based intrusion prevention system (HIPS)

Installed on endpoints like PCs, host-based intrusion prevention systems monitor inbound and outbound traffic from that device only. HIPS works best in tandem with a NIPS and serves to block threats that have made it past the NIPS.

4. Network behavior analysis (NBA)

Not be confused with professional basketball, NBA is focused on network traffic to detect odd movement and flows that might be associated with distributed denial of service (DDoS) attacks.

Learn the 4 types of intrusion prevention systems

Intrusion Prevention System (IPS) vs. Intrusion Detection System (IDS)

While intrusion detection systems (IDS) monitor the network and send alerts to network administrators about potential threats, intrusion prevention systems take more substantial actions to control access to the network, monitor intrusion data, and prevent attacks from developing.

IPS evolved from IDS. IDS technology uses the same concept of identifying traffic and some of the similar techniques with the major difference being that IPS are deployed “in-line” and IDS are deployed “off-line” or on tap where they still inspect a copy of the entire traffic or flow but cannot take any preventive action. IDS are deployed to only monitor and provide analytics and visibility into the threats on the network.

Top Trends in the IPS Market

Historically, IPS only reacted to cyber breaches, but this reactive stance is no longer satisfactory. IPS is now part of full network security suites, including threat monitoring, firewalls, intrusion detection, anti-virus, anti-malware, ransomware prevention, spam detection, and security analytics. 

Recent trends in IPS include using AI to automate the detection process. The future of IPS technology extends network perimeter security with a multi-layered defense. Cloud IPS services perform this security function using extended detection, response, and endpoint protection.

How Fortinet Can Help

FortiGuard IPS security service is available for NGFW (hardware, virtual machine, as-a-service) FortiClient, FortiProxy, FortiADC and our Cloud Sandbox. Add our OT and IoT services to get even more granular protection for operational technology and IoT devices.

FortiGuard IPS with NGFW offers the following:

  1. Network-based virtual patching for business applications that are hard to patch or can’t be patched. This ensures protection against vulnerabilities without interrupting operations.
  2. Accelerated FortiGuard IPS capabilities thanks to Fortinet’s purpose-built content processor (CP9) on the FortiGate, to deliver the industry’s best IPS price and performance.
  3. Extended IPS to additional capabilities like SSL inspection (including TLS 1.3) to detect hidden malware, ransomware, and other HTTPS-borne attacks.

FortiGate IPS: Protect Against Known and Zero-day Threats

FortiGuard offers a comprehensive security-driven network security service that delivers an industry-validated IPS service to enterprises. Purpose-built for enterprises and designed to deliver superior security efficacy and the industry’s best IPS performance. Powered by the AI/ML-driven threat intelligence from FortiGuard Labs.


What is an intrusion prevention system?

An essential part of Intrusion Prevention System is the network security technology that constantly monitors network traffic to identify threats.

What are the two types of intrusion prevention system?

Signature-based Detection and Statistical Anomaly-based Detection. 

What is the difference between IPS and IDS?

While intrusion detection systems (IDS) monitor the network and send alerts to network administrators about potential threats, intrusion prevention systems take more substantial actions to control access to the network, monitor intrusion data, and prevent attacks from developing.