What is an Intrusion Prevention System (IPS)?

What is an Intrusion Prevention System?

An Intrusion Prevention System (IPS) is a component of network security that monitors, identifies, and ultimately takes action to protect the network, applications, and servers from web threats and vulnerability exploits.

An IPS is an additional layer of security that is placed in-line and can automatically take protective actions to mitigate harm from detected threats and attacks. Unlike a related technology called an Intrusion Detection System (IDS) which simply detects and reports on threats, an IPS is the prerequisite that aims to prevent intrusions before they occur.

What does an IPS do?

Traditional, hardware-based IPS systems typically sit behind the firewall and monitor for vulnerability exploits, which look for and attempt to take advantage of unpatched operating systems and/or applications within the network. intrusion prevention systems typically scan the traffic immediately after the firewall, and IPS systems usually will prevent any exploit attempts before the threat reaches the switch or router level.

The intrusion prevention system is an important layer of security, particularly for businesses that have challenges with security patching, handling several applications, or an abundance of third party providers with differing operating systems. The more applications you have, the harder it is to keep security and maintenance patches up to date, and the more likely you are to fall victim to a vulnerability in your application or OS stack. Intrusion prevention system software adds to a business’ layered security strategy by involving another protective layer between the firewall and the network.

Comparatively, an intrusion detection system is more of a passive technology. It scans traffic and reports back on any threat detected from within the network - IPS is the opposite. The intrusion prevention system is placed in the direct path between source and destination (in-line) to take quick action on potentially malicious traffic flows on their way into the network.

These actions typically include:

• Reporting and notifying system administrators and taking preventative action
• Closing weak access points and blocking harmful traffic
• Blocking specific IP addresses
• Configuring additional firewalls for prevention of future attacks
• Stopping malicious software packets from reaching the network and data

How does an IPS detect malicious activity?

There are various methods an intrusion prevention system can utilize to detect malicious activity. Signature-based detection, anomaly-based detection, and policy-based detection are the top three methods used to identify a threat.

Signature-based detection uses a repository of predefined and uniquely identifiable “signatures” that represent well-known or previously identified network threats. These signatures are differentiated by their unique coding. If an attack matches a known signature, the intrusion prevention system blocks any further action. There are actually two methods that can be used in signature-based detection called exploit facing and vulnerability facing methods. Both of these methods fall under signature-based, but hold differing approaches to detection.

• Exploit facing - malicious activity is detected based on common attack patterns.
• Vulnerability facing - detection by the identification of specific network vulnerabilities.

Anomaly-based or statistical detection is a method that recognizes unusual network traffic based on predetermined baseline performance levels. It takes samples of the traffic and uses it to compare future traffic, so that abnormal events are detected instantly. If an anomaly is detected, the intrusion prevention system blocks its access to the network immediately.

The last method, policy-based detection, is an approach that requires systems admins to launch security policies in accordance with the organizational security policies and the network setup. If any activity is detected that violates those predetermined security policies, the system is triggered and the admin is alerted.

Threats that Intrusion Prevention Systems can prevent

• Denial of service (DoS) attacks (an attack that floods devices with traffic to cause a crash)
• Various types of exploits
• Worms (downloaded to a user’s device to infect the machine without the user’s knowledge)
• Viruses (malicious code aimed to alter the way a device operates and spread from one device to another)

Continue Reading...

• Port Scanning - What it is and What it Does
• What are the most common cyber attacks and threats?
• How does DNS Protection work and why is it important?