What is an intrusion
prevention system ips

To put it in simple terms, an Intrusion Prevention System (IPS), which is also referred to as an intrusion detection prevention system (IDPS), is nothing but a technology that ensures that a network is monitored to detect malicious activities that aim to exploit a known vulnerability.

The primary goal of an Intrusion Prevention System is to detect if there is any suspicious activity or to completely prevent (IPS) the threat. Every such attempt is reported to the network managers or Security Operations Center (SOC) staff.

Why should Intrusion Prevention Systems be used?

IPS technologies can assist in either the detection or the prevention of network security attacks, which includes brute force attacks, Denial of Service (DoS) attacks and vulnerability exploits. A vulnerability is nothing but a weakness in a software system, while an exploit is an actual attack that is conducted using that vulnerability, so the entity gains access to a system. Upon the announcement of an exploitation, there is usually a small window wherein the attackers can exploit that vulnerability prior to the application of that security patch. To quickly block such attacks, an Intrusion Prevention System can be leveraged.

Since IPS technologies witness packet flows, they can be helpful in enforcing security protocols and reject insecure protocols, including previous versions of SSL or protocols that make use of weak ciphers.

How do Intrusion Prevention Systems work?

IPS technologies enjoy access to packets wherein they are deployed as network intrusion detection systems (NIDS) or Host intrusion detection systems (HIDS). When it comes to Network IPS, there is a larger view of the entire network, and it could either be deployed inline within the network or on the network’s offline as a passive sensor that obtains packets from a network TAP or SPAN port.

The method of detection that is employed may either be in the form of a signature or is based on anomalies. Signatures that are predefined are essentially patterns of popular network attacks. The IPS matches packet flows with the signature in order to determine whether the pattern is the same. Intrusion detection systems based on anomalies make use of heuristics for the identification of threats, such as the comparison of a traffic sample against a known baseline.

What’s the difference between IDS and IPS?

Early technological implementations were deployed in detect mode on specific security appliances. With the maturation of the technology and its movement into integrated Next-Generation Firewall or UTM devices, the default action is essentially meant to prevent malicious traffic.

In a few cases, the decision to detect or prevent the traffic depends upon the confidence in the specific IPS protection. In the case of lower confidence in an IPS protection, it is highly likely that false positives are generated. A false positive involves a scenario wherein an activity (which may be an attack) is identified by the IDS identifies, although the activity is supposed to be acceptable behavior. Therefore, several IPS technologies are capable of capturing packet sequences from the attack event. Then, these can be assessed to decide whether there actually was a threat, so the IPS protection could be further improved.