An intrusion prevention system (IPS) is a network security and threat prevention tool. The idea behind intrusion prevention is to create a preemptive approach to network security so potential threats can be identified and responded to swiftly. Intrusion prevention systems are thereby used to examine network traffic flows in order to find malicious software and to prevent vulnerability exploits.
An IPS is used to identify malicious activity, record detected threats, report detected threats and take preventative action to stop a threat from doing damage. An IPS tool can be used to continually monitor a network in real time.
Intrusion prevention is a threat detection method that can be utilized in a security environment by system and security administrators. These tools are useful for systems as a prevention action for observed events. In addition, with many potential ways that suspicious activity can occur, it is important to have a plan in place for detecting potential attacks.
An intrusion prevention system is made to expand on the base capabilities found in intrusion detection systems (IDSes).
How do intrusion prevention systems work?
An intrusion prevention system will work by scanning through all network traffic. To do this, an IPS tool will typically sit right behind a firewall, acting as an additional layer that will observe events for malicious content. In this way, IPS tools are placed in direct communication paths between a system and network, enabling the tool to analyze network traffic.
The following are three common approaches for an IPS tool to protect networks:
- signature-based detection in which the IPS tool uses previously defined attack signatures of known network threats to detect threats and take action;
- anomaly-based detection in which the IPS searches for unexpected network behavior and blocks access to the host if an anomaly is detected; and
- policy-based detection in which the IPS first requires administrators to make security policies -- when an event occurs that breaks a defined security policy, an alert is sent to system administrators.
If any threats are detected, an IPS tool is typically capable of sending alerts to the administrator, dropping any malicious network packets, and resetting connections by reconfiguring firewalls, repackaging payloads and removing infected attachments from servers.
IPS tools can help fend off denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, worms, viruses or exploits, such as a zero-day exploit. According to Michael Reed, formerly of Top Layer Networks (acquired by Corero), an effective intrusion prevention system should perform more complex monitoring and analysis, such as watching and responding to traffic patterns, as well as individual packets. "Detection mechanisms can include address matching, HTTP [Hypertext Transfer Protocol] string and substring matching, generic pattern matching, TCP [Transmission Control Protocol] connection analysis, packet anomaly detection, traffic anomaly detection and TCP/UDP [User Datagram Protocol] port matching."
Types of intrusion prevention systems
Three types of intrusion prevention systems appear commonly. These types are the following:
- network behavior analysis (NBA), which analyzes network behavior for abnormal traffic flow -- commonly used for detecting DDoS attacks;
- network-based intrusion prevention system (NIPS), which analyzes a network to look for suspicious traffic -- typically surrounding protocols;
- host-based intrusion prevention system (HIPS), which are installed in a single host and used to analyze suspicious activity in one specific host.
In addition, there are other types of IPS tools, including ones that analyze wireless networks. Broadly speaking, however, an intrusion prevention system can be said to include any product or practice used to keep attackers from gaining access to your network, such as firewalls and antivirus software.
Benefits of intrusion prevention systems
Benefits of intrusion prevention systems include the following:
- lowering the chances of security incidents;
- providing dynamic threat protection;
- automatically notifying administrators when suspicious activity is found;
- mitigating attacks such as zero-day threats, DoS attacks, DDoS attacks and brute-force attack attempts;
- reducing maintenance of networks for IT staff; and
- allowing or denying specific incoming traffic to a network.
Disadvantages of intrusion prevention systems
Disadvantages to intrusion prevention systems include the following:
- When a system blocks abnormal activity on a network assuming it is malicious, it may be a false positive and lead to a DoS to a legitimate user.
- If an organization does not have enough bandwidth and network capacity, an IPS tool could slow a system down.
- If there are multiple IPSes on a network, data will have to pass through each to reach the end user, causing a loss in network performance.
- IPS may also be expensive.
IPS vs. IDS
IDSes are software tools made to detect and monitor network traffic. Both IPS and IDS tools will read network packets and compare their contents with known threats. However, IDS differs in what actions are taken next. An IDS tool will not take any action on its own. An IDS requires a human to analyze results and make decisions on what to do next. This is why IPS is seen as an extension to IDS.
An IDS is designed to monitor a network and to send alerts to administrators if a threat is found. However, an IPS is designed to control network access and to protect a network from harm.
Like an IDS, an IPS will monitor network traffic. However, because an exploit may be carried out quickly after the attacker gains access, intrusion prevention systems also have the ability to take immediate action, based on a set of rules established by the network administrator. For example, an IPS might drop a packet that it determines to be malicious and block all further traffic from that Internet Protocol (IP) address or port. Legitimate traffic, meanwhile, should be forwarded to the recipient with no apparent disruption or delay of service.