What is an Intrusion Prevention System?
An intrusion prevention system (IPS) is a form of network security that works to detect and prevent identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. The IPS reports these events to system administrators and takes preventative action, such as closing access points and configuring firewalls to prevent future attacks. IPS solutions can also be used to identify issues with corporate security policies, deterring employees and network guests from violating the rules these policies contain.
With so many access points present on a typical business network, you must have a way to monitor for signs of potential violations, incidents, and imminent threats. Today’s network threats are becoming more and more sophisticated and able to infiltrate even the most robust security solutions.
How an IPS works
An intrusion prevention system works by actively scanning forwarded network traffic for malicious activities and known attack patterns. The IPS engine analyzes the network traffic and continuously compares the bitstream with its internal signature database for known attack patterns. An IPS might drop a packet determined to be malicious, and follow up this action by blocking all future traffic from the attacker’s IP address or port. Legitimate traffic can continue without any perceived disruption in service.
IPS can also perform more complicated observations and analyses, such as watching and reacting to suspicious traffic patterns or packets. Detection mechanisms can include:
- Address matching
- HTTP string and substring matching
- Generic pattern matching
- TCP connection analysis
- Packet anomaly detection
- Traffic anomaly detection
- TCP/UDP port matching
An IPS will typically record information related to observed events, notify security administrators, and produce reports. To help secure a network, an IPS can automatically receive prevention and security updates to continuously monitor and block emerging Internet threats.
Types of IPS
There are four noteworthy types of intrusion prevention systems. Each type has its unique defense specialty.
- Network-based intrusion prevention system (NIPS): Typically, a network-based intrusion prevention system is placed at key network locations, where it monitors traffic and scans for cyberthreats.
- Wireless intrusion prevention system (WIPS): As you would expect, wireless intrusion prevention systems monitor Wi-Fi networks, acting as a gatekeeper and removing unauthorized devices.
- Host-based intrusion prevention system (HIPS): Installed on endpoints like PCs, host-based intrusion prevention systems monitor inbound and outbound traffic from that device only. HIPS works best in tandem with a NIPS and serves to block threats that have made it past the NIPS.
- Network behavior analysis (NBA): Not to be confused with professional basketball, NBA is focused on network traffic to detect odd movements and flows that might be associated with distributed denial of service (DDoS) attacks.
What’s the difference between an IPS and an Intrusion Detection System (IDS)?
You may have heard about a similar kind of system called an IDS or an Intrusion Detection System. The two systems are very similar but IPS is a newer, more proactive concept.
Both IDS and IPS can sit within the firewall and inspect traffic as it comes in, and nowadays both usually monitor outgoing traffic too.
However, the difference lies in what they do once a threat is detected – and there’s a clue in their names.
Intrusion Detection Systems merely detect these threats and alert a technician to intervene. Intrusion Prevention Systems, however, actively and independently stop potentially dangerous traffic from traveling into/around your network rather than merely shouting for help!
Why is an IPS important?
There are several reasons why an IPS is a key part of any enterprise security system. A modern network has many access points and deals with a high volume of traffic, making manual monitoring and response an unrealistic option. (This is particularly true when it comes to cloud security, where a highly connected environment can mean an expanded attack surface and thus greater vulnerability to threats.) In addition, the threats that enterprise security systems face are growing ever more numerous and sophisticated. The automated capabilities of an IPS are vital in this situation, allowing an enterprise to respond to threats quickly without placing a strain on IT teams. As part of an enterprise’s security infrastructure, an IPS is a crucial way to help prevent some of the most serious and sophisticated attacks.
Choosing the best IPS
The intrusion prevention system market has a very wide product offering. This makes choosing the best intrusion prevention system a quite difficult task. To reduce the complexity of choosing the best intrusion prevention system for you, it is essential to set a budget, define the requirements that your new system will need to fulfill, and do your research on the different intrusion prevention systems on the market. Keep in mind that an intrusion prevention system is a standalone technology and not a comprehensive security solution. While an IPS can be a valuable technology for detecting malicious activity on networks, an effective security program should leverage additional technologies and resources for data protection, endpoint security, incident response, and more.