Introduction to Intrusion Prevention Systems (IPS)
An Intrusion Prevention System is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Following a successful exploit, the attacker can disable the target application, or can potentially access to all the rights and permissions available to the compromised application.
IPS and IDS – What is the difference?
When looking into IPS solutions, you may also come across Intrusion Detection Systems (IDS). Before we look into how intrusion prevention systems work, lets take a look at the difference between IPS and IDS.
What is an IDS?
An Intrusion Detection system is a system that monitors network traffic for suspicious activity and alerts when such activity is discovered. Some IDSs are capable of taking actions when malicious activity or anomalous traffic is detected, including blocking traffic sent from suspicious IP addresses.
IPS vs IDS
Most organizations have either an IDS or an IPD, and many have both as part of their security information and event management framework.
|Name||Intrusion Prevention System||Intrusion Detection System|
|Description||A system that monitors network traffic and alters for suspicious activity, like and IDS, but also takes preventative action against suspicious activity||A system that monitors network traffic for suspicious activity and alters users when such activity is discovered|
|Location||Located between a company’s firewall and the rest of its network||A host-based IDS is installed on the client computer. A network-based IDS resides on the network|
|Use||Warns od suspicious activity taking place and prevents it||Warns of suspicious activity taking place, but it doesn’t prevent it|
|False positive||IPS false positive can be more serious. When an IOS mistakes legitimate traffic for a treat, it stops the legitimate traffic from entering the network, which could impact any part of the organization, not just the IT team.||IDS false positives are usually just a minor inconvenience. Although the IDS incorrectly labels legitimate traffic as malicious, it does not prevent the traffic from entering the network.|
How do IPS work?
IPS work by scanning all network traffic. There are a number of different threats that an IPS is designed to prevent, including:
- Denial of Service attack (DoS)
- Distributed Denial of Service attack (DDoS)
- Various types of exploits
The IPS performs real-time packet inspection, deeply inspecting every packet that travels across the network if any malicious or suspicious packets are detected, the IPS will carry out one of the following actions:
- Terminate the TCP session that has been exploited and block the offending source IP address or user account from accessing any application, target hosts or other network resources unethically.
- Reprogram or reconfigure the firewall to prevent a similar attack occurring in the future.
- Remove or replace any malicious content that remains on the network following an attack. This is done by repackaging payloads, removing header information and removing any infected attachments from file or email servers.
The IPS often sits directly behind the firewall and provides a complementary layer of analysis that negatively selects for dangerous content. Unlike its predecessor the Intrusion Detection System (IDS)—which is a passive system that scans traffic and reports back on threats—the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network. Specifically, these actions include:
- Sending an alarm to the administrator (as would be seen in an IDS)
- Dropping the malicious packets
- Blocking traffic from the source address
- Resetting the connection
Types of prevention
An IPS is typically configured to use a number of different approaches to protect the network from unauthorized access. These include:
- Signature-Based – The signature-based approach uses predefined signatures of well-known network threats. When an attack is initiated that matches one of these signatures or patterns, the system takes necessary action.
- Anomaly-Based – The anomaly-based approach monitors for any abnormal or unexpected behavior on the network. If an anomaly is detected, the system blocks access to the target host immediately.
- Policy-Based – This approach requires administrators to configure security policies according to organizational security policies and the network infrastructure. When an activity occurs that violates a security policy, an alert is triggered and sent to the system administrators.
As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near real-time. The IPS must also detect and respond accurately, so as to eliminate threats and false positives.