Intrusion Prevention System

What is an Intrusion Prevention System?

An intrusion prevention system (IPS) is a tool that is used to sniff out malicious activity occurring over a network and/or system. Intrusion prevention systems can also be referred to as intrusion detection and prevention systems (IDPS). Intrusion prevention systems function by finding malicious activity, recording and reporting information about the malicious activity, and trying to block/stop the activity from occurring.

Intrusion prevention systems expand on the capabilities of intrusion detection systems (IDS), which serve the fundamental purpose of monitoring network and system traffic. What makes intrusion prevention systems more advanced than intrusion detection systems is that IPS are located in-line (directly in the path in which the source and destination communicate) and have the capability to prevent or block the malicious activity that is occurring.

How do Intrusion Prevention Systems Work?

Intrusion prevention systems are usually located behind a firewall to function as another filter for malicious activity. Since intrusion prevention systems are located in-line, IPS are capable of analyzing and taking automated actions on all network traffic flows. Those actions can include alerting administrators, dropping dangerous packets, halting traffic coming from the source address(es) of malicious activity, and restarting connections. It is important to note that an effective intrusion prevention system must be efficient to avoid hindering network performance. In addition, intrusion prevention systems must work quickly and accurately in order to catch malicious activity in real time and avoid false positives.

How do Intrusion Prevention Systems Detect Malicious Activity?

Intrusion prevention systems have various ways of detecting malicious activity, however the two predominant methods are signature-based detection and statistical anomaly-based detection. The signature-based detection method used by intrusion prevention systems involves a dictionary of uniquely identifiable signatures located in the code of each exploit. There are two types of signature-based detection methods for intrusion prevention systems as well: exploit-facing and vulnerability-facing. Exploit-facing methods detect malicious activity based on common attack patterns, whereas vulnerability-facing methods attempt to detect malicious activity by identifying specific vulnerabilities. On the other hand, intrusion prevention systems that rely on statistical anomaly-based detection randomly sample network traffic and then compare the samples to a predetermined baseline performance level.

Intrusion Prevention System Comparison

There are four common types of intrusion prevention systems. The first type of intrusion prevention system is called a network-based intrusion prevention system (NIPS). This type of intrusion prevention system has the ability to monitor the whole network and look for suspicious traffic by reviewing protocol activity. In contrast, wireless intrusion prevention systems (WIPS) only monitor wireless networks for suspicious activity by reviewing wireless networking protocols. A third type of intrusion prevention system is called network behavior analysis (NBA). Network behavior analysis looks at network traffic in an effort to locate threats that cause unusual traffic flows, including distributed denial of service (DDoS) attacks and policy violations. The last common type of intrusion prevention system is host-based intrusion prevention systems (HIPS). A host-based intrusion prevention systems is an installed software package that looks into suspicious activity that occurs within a single host.

Best Intrusion Prevention System

The intrusion prevention system market has a very wide product offering. This makes choosing the best intrusion prevention system a quite difficult task. In an effort to reduce the complexity of choosing the best intrusion prevention system for you, it essential to set a budget, define the requirements that your new system will need to fulfill, and do your research on the different intrusion prevention systems on the market. Keep in mind that an intrusion prevention system is a standalone technology and not a comprehensive security solution. While an IPS can be a valuable technology for detecting malicious activity on networks, an effective security program should leverage additional technologies and resources for data protection, endpoint security, incident response, and more.

Dan Geer on How to Mitigate the Risk of Insider Threats

Dan Geer explains how to apply the reference monitor concept to mitigate the risks presented by insiders.

Get the whitepaper

Free Trial 2017 Gartner DLP MQ Contact Us