Unlike the more passive firewall, an intrusion prevention system (IPS) takes action to prevent or block cyberattacks. Often offered as part of a unified threat management or firewall solution, an IPS can also be deployed as a standalone product.
IPS systems inspect network communications using signatures or anomaly detection methods to identify and report suspicious attack patterns. They can also terminate connections and reconfigure your firewall to prevent future attacks.
Detection
An IPS system detects attacks that may have slipped past other security devices. The system can act in various ways when it detects a threat, including sending an alarm, dropping detected malicious packets, resetting the connection, or blocking traffic from the offending IP address.
Using anomaly-based detection, an IPS monitors network activity and compares it to an established point of reference for expected behavior. This approach can avoid false alarms caused by significant network traffic since it only looks for anomalies outside the norm.
Signature-based detection uses a database of malware patterns to compare monitored activity against. This approach is good at detecting well-known threats but can miss novel ones.
A network intrusion detection system (NIDS) monitors the behavior of all devices on a given network. It observes all passing traffic and matches it to a library of known attacks. An alert is sent to a system administrator when an attack is identified. An IPS security takes this a step further and takes preventive action. The IPS will drop the suspicious packet, close the port automatically, or refuse traffic from that IP address — all in milliseconds after it detects an attempt at an intrusion. This allows it to stop an attack before any severe damage can be done.
Prevention
An IPS goes a step further than an IDS, detecting threats and taking action to prevent them from occurring. Depending on settings and policy, this can include alerting administrators, dropping packets, terminating or resetting the connection, or even using a honeypot that lures attackers with fake high-value data.
Signature-based IPS solutions compare network traffic against a list of known indicators of compromise, such as byte sequences, malicious domain names, file hashes, and suspicious email subject lines. While this method provides the quickest detection, it can be susceptible to false positives if not carefully configured.
Behavior modeling IPSs observe regular activity and identify patterns of behavior that indicate a possible threat. These systems are much less susceptible to false positives but require significant expertise to set up and maintain.
Other IPS methods include stateful protocol analysis, which uses granular information such as application layer headers, session identifiers, and port states to detect anomalies. This can be more accurate than other techniques but requires many computing resources to track simultaneous sessions.
IPSs are typically offered as one of the capabilities in unified threat management (UTM) or next-generation firewall solutions, although they can also be standalone offerings. They work with these other security technologies to provide extra protection that can identify threats they can’t catch on their own while reducing the workload for those controls and improving their performance.
Response
IPS solutions detect and prevent attacks by filtering network communications to ensure no malicious activity reaches other security devices and controls. This improves the efficiency of security teams while enabling a more significant number of threats to be blocked.
Initially, IPS technologies were standalone products that relied on dedicated hardware and special-purpose software. This made sense at the time because IPS detection required complex and lengthy network traffic analysis. Moreover, attackers often attacked the IPS technology by flooding it with traffic to cause performance issues or hiding the threat within a legitimate activity (e.g., file hashes, byte sequences, and email subject lines).
In more recent times, however, IPS has come to be integrated into unified threat management solutions (UTM) and next-generation firewalls. This approach allows IPS to take on more responsibility for security while freeing up resources that can be allocated to other security controls.
In its most basic form, an IPS solution monitors network activity and alerts human security administrators whenever it discovers potential threats. It then takes steps to stop those incidents, such as blocking a user or the offending IP address. These actions can be automated or manual, depending on the specific system. Some systems also employ banishment vigilance, monitoring activity for signs of suspicious behavior and then turning off the offending system.
Impact
An IPS solution filters malicious activity before reaching other security devices and controls, reducing the workload for those technologies. It also helps reduce the time security teams spend responding to notifications from an IDS.
Unlike an IDS, which alerts a network administrator about a potential attack, an IPS takes proactive action to prevent that attack. It can drop a packet, close ports automatically, or refuse additional traffic from the suspicious source, among other options.
Some IPS solutions use signature-based detection to detect specific exploits. They capture unique identifiers in exploit code and add them to an expanding database. However, this method can lead to false positives (benign packets mislabeled as threats).
Other IPS solutions take a more sophisticated approach. They monitor higher-level details of network communication, like how often a particular endpoint system scans for data or the nature of the traffic to and from that device. They then use that information to watch for anomalies indicative of an attack.
The most potent IPS solutions offer advanced protection against known and unknown attacks. This type of protection includes obfuscation technology that abstracts the inner workings of a system and makes it harder for cybercriminals to access firmware using zero-day exploits. It also supports behavior-based detection, which looks for abnormal behaviors and patterns in network communications, such as a timeline-based attack that moves between hosts to target multiple vulnerabilities.
