Network intrusion prevention systems are security controls designed to monitor and analyze network traffic for malicious activity or for other actions that violate an organization's security policies. Unlike an intrusion detection system, network intrusion prevention systems are capable of dropping or blocking network connections that are determined too risky for the organization.
Today IPS technologies are available in three forms: dedicated hardware and software (either hardware or virtual appliances), IPS features enabled on other enterprise network security controls (e.g., next-generation firewalls), and cloud-based IPS services. Because the relative characteristics of these three forms make it difficult to compare products, this article focuses on dedicated hardware and software solutions only.
IPS capabilities provided through hardware or virtual appliances tend to be used by larger organizations. Compared to other network intrusion prevention systems, appliance-based IPS tends to be more expensive in terms of product acquisition and deployment, but there are often strong justifications for these higher costs. For example, a large organization may need to distribute the IPS workload across many devices for performance reasons, such as to avoid overloading one network security device with enormous volumes of traffic. Smaller organizations are more likely to use integrated IPS (such as enabling IPS features in a next-generation firewall) or cloud-based IPS over hardware or virtual IPS appliances because of cost and convenience.
IPS technologies provide several benefits to organizations. This article looks at three of the most significant benefits:
- Detects and stops attacks that other security controls cannot;
- Supports customization of detection capabilities to stop activity that is only of concern to a single organization; and
- Reduces the amount of network traffic reaching other security controls, which both lowers the workload for those controls and protects those controls from direct attacks.
Unique capabilities for detecting and stopping attacks
The most important benefit provided by network intrusion prevention systems is the ability to detect and stop a variety of attacks that cannot be automatically identified by firewalls, antivirus technologies and other enterprise security controls. IPS technologies use a combination of several methodologies for detecting attacks. Each methodology has its own strengths and weaknesses, so by leveraging the strongest capabilities of each methodology, an IPS can detect an incredibly wide range of attacks.
This is particularly important when it comes to attacks that have never been seen before. Such attacks cannot be detected using signature-based detection methodologies, which are the basis for many other network security controls. IPS technologies can establish baselines of normal activity based on continual monitoring over time; subsequent deviations from these baselines can indicate attacks. This is particularly helpful at detecting distributed denial-of-service attacks, but it can also identify malware infections within the organization by the anomalous patterns of network activity they can cause, for example.
Another distinguishing characteristic of network intrusion prevention systems is they typically have an extensive understanding of applications. Most network security controls can parse and analyze Web and email activity to some extent, but they lack knowledge of the individual applications carried within Web traffic, as well as application communications carried through non-Web traffic. This significantly limits their effectiveness at identifying application-borne attacks. An IPS product usually has knowledge of hundreds, if not thousands, of applications, and this provides unique attack detection capabilities involving applications.
In addition to all of these detection capabilities, some IPS products offer support for detecting and stopping even more types of attacks. For example, an IPS may offer a feature similar to application whitelisting, which restricts which executables can be run. Similarly, an IPS may receive threat intelligence feeds or reputation information, enabling the IPS to block IP addresses, websites, URLs or other entities based on their behavior in the recent past. Some network intrusion prevention systems can also perform extensive, sophisticated analysis of files being transferred through network communications to identify anomalous behavior associated with using or executing these files. This is useful for stopping both known and unknown forms of attack.
Organization-specific detection capabilities
Another important benefit of network intrusion prevention systems is they can readily be customized by the organization in order to detect attacks and other activity that is specifically of interest to the organization only. An example is the use of a particular application that violates the organization's policies. Another example is the identification of a phishing attack that is specific to the organization. Because a network intrusion prevention system can support detection of attacks within so many applications, it provides a single point for security administrators to identify a wide variety of attacks, misuse and other undesirable activity.
This is particularly powerful because of the numerous detection methodologies a network intrusion prevention system supports. A security administrator who is looking for a known attack, such as a particular phishing email, can quickly write a simple signature for the IPS to identify any instances of this email. If a more sophisticated attack is to be stopped, the security administrator could configure the IPS to alert when complex patterns of application activity are observed. The extent to which an IPS supports such customization varies from product to product, but nearly every IPS offers at least some customization for its attack detection features.
Protection of other enterprise security controls
Intrusion prevention systems can provide protection for the availability and integrity of other enterprise security controls. For example, an IPS deployed in front of another enterprise security control can analyze the incoming network traffic and block suspicious activity from reaching that security control. In some cases, this can protect the security control from being directly attacked by identifying and stopping the attack, preventing it from ever reaching its target. In other cases, this can prevent an attacker from circumventing the security control by specially crafting their activity at the application layer, network layer or elsewhere to avoid detection by other security controls.
More frequently, network intrusion prevention systems protect other security controls by assisting them in their workload. By strategically deploying IPS sensors in front of other security controls, an organization can reduce the amount of traffic reaching those controls. This, in turn, reduces the likelihood that they will be overwhelmed by high volumes of traffic, causing traffic to be slowed or even dropped altogether because of a lack of processing or network resources.
The need for network intrusion prevention systems
Network intrusion prevention systems are needed for most organizations to detect and stop network-based attacks, particularly those that cannot be detected by other enterprise security controls. IPS technologies come in multiple forms, but the form addressed by this article -- dedicated hardware and software -- is most often used by larger organizations. Although this form of IPS may involve higher costs, it also offers substantial benefits, and there are several sound justifications for using dedicated hardware and software IPS instead of or in addition to other forms of IPS.
Network IPSes offer several major benefits to organizations. First and foremost, an IPS can detect and stop attacks that other security controls cannot because it uses a combination of attack detection methodologies. These enable identification of a variety of application-borne attacks, as well as any attack identifiable through deviations of established baselines of normal activity for an organization. Other important benefits include the ability to detect attacks and other unwanted activity that is only of significance to a particular organization, and the ability to protect other enterprise security controls by preventing attacks from reaching them and reducing their workload. For these reasons, as well as others, most organizations today find network intrusion prevention systems to be an important component in their overall network security strategy.
In part one of this series, learn about the basics of network intrusion prevention systems
Find out if your company needs intrusion prevention or intrusion detection, or both
What can intrusion prevention systems do against attacks using evasion techniques?