What is Intrusion Prevention System (IPS) ?
And how do we apply it in combination with other security controls to protect data and information systems?
Intrusion prevention system (IPS) is a security solution that continuously monitors network and computer systems for suspicious and malicious activity and takes appropriate security measures to prevent it. It is a security solution and crucial component of an organization’s security controls that continuously monitors network traffic and computer systems of malicious and suspicious activities. However, unlike intrusion detection system (IDS), an IPS stops those suspicious activities besides to detecting and generating alerts about the ongoing incidents. Moreover, IPS solutions prevent the malicious and suspicious activities before they attack other security devices and controls. These mostly automated tasks will help to minimize the tedious and manual work of security teams and complements other security controls to perform more effectively and efficiently.
An intrusion prevention systems can be a hardware device or software solution and very effective at detecting and preventing exploitation of system vulnerabilities. Furthermore, the intrusion prevention system will protect vulnerable systems from cyberattacks until security patches and updates are applied. And the IPS solutions are integrated with unified threat modeling and other security control to achieve greater security posture for organizations. That means, IPSs are important parts of a defense-in-depth security architecture of an organization.
In order to achieve the aforementioned objectives, the intrusion prevention system is deployed inline and directly in the direction of network traffic between the source and destination. This is unlike the architecture of the passive intrusion detection system, which scans a network traffic, detects and generates alerts about the security threats. And the IPS resides right behind the firewall security and actively detects, analyzes and takes automated measures on all network traffic flows that enter the internal network of an organization. Besides, it uses different techniques to identify security threats. In addition, the techniques intrusion prevention systems use include signature-based, anomaly-based and policy-based detections to name a few.
- Signature-based Detection: Uses predefined signatures of common network threats and vulnerabilities. This method matches the suspicious activity to a signature of well-known threats. The inherent problem with this technique is that it can only prevent from previously identified cyberattacks, but not new ones.
- Anomaly-based Detection: monitors and controls for abnormal or unexpected behavior by comparing random samples of network traffic and computer systems against established baseline standard.
- Policy-based Detection: requires administrators to configure security policies according to organizational security policies and block suspicious activities that violate those policies.
An intrusion prevention system prevents distributed denial of service (DDoS), denial of service (DoS), malware and various types of cyberattacks. And to prevent those and other cyberattacks, intrusion prevention systems take one or more of the following automated measures to protect the assets of an organization:
- Drop malicious and suspicious traffic
- Block traffic from source address
- Reset connections
- Configure firewalls to stop cyberattacks
- Generate and send alarm or report to administrators
The common types of intrusion prevention system (IPS) include the following:
- Network-based Intrusion Prevention System (NIPS): It controls and monitors the entire network system for unusual network traffic through analyzing network protocol activity. And it resides at the a strategic points control and monitor all network traffic and scans for security threats proactively.
- Host-based Intrusion Prevention System (HIPS): HIPS is deployed on a workstation or endpoint and examines at the inbound and outbound activity or traffic from that particular machine only. It works in combination with network intrusion prevention system (NIPS) to stop security threats that have bypassed the NIPS. And it is a software agent that operates in a single workstation for suspicious activity via scanning and analyzing events or incidents that occur within that specific host.
- Network behavior analysis (NBA): It monitors network traffic to identify security threats that generate suspicious traffic flows, such as Distributed denial of service (DDoS) attacks.
- Wireless intrusion prevention system (WIPS): Monitors and controls a wireless network or Wi-Fi based network for malicious or suspicious network traffic by mainly analyzing wireless networking protocols. And it scans the wireless network for unauthorized access and stops unauthorized access points or devices from the network.
The main difference between intrusion detection systems (IDS) and intrusion prevention system (IPS) is the security measure or action that each take when a potential security threat or incident has been detected. The intrusion prevention systems (IPS) monitor and control the access to network and computer systems and safeguard it from cyberattack. These security controls are designed to control and monitor intrusions, and take appropriate security measures to prevent or stop a cyberattack from exacerbating. Intrusion detection systems (IDS), on the other hand, are not designed to stop or block cyberattacks and will simply control and monitor network traffic and IT systems, and generate and send security alerts to administrators if a potential security threats are detected.
Some benefits of intrusion prevention system (IPS) may include the following:
- Provides dynamic security threat protection
- Meet compliance requirements
- Servers as additional layer of security
- Lowers the likelihood of security threats or incidents
- Saves time of security teams by automating tasks
- Complements or compensates other security controls
- Allows or denies specific traffic to a network