SpartanTec, Inc. Wilmington: What is an Intrusion Prevention System (IPS)?

An intrusion prevention system (IPS) is an automated network security device that detects potential threats through the network traffic. Intrusion prevention systems can respond to threats automatically based on rules set by the network administrator or managed service provider(MSP).

An IPS’s main tasks are to detect suspicious activity, log the information, block it, and then report it.

IPS’s can be used to protect your computer from viruses, protect the company firewall, and malicious software. An IPS can also be used by organizations to identify security issues, deter criminals, and document threats. IPS are an integral part of modern security infrastructures.

How does an intrusion prevention system work?

A network intrusion prevention system actively scans forwarded traffic to identify malicious activity and attack patterns. The IPS engine continuously analyzes network traffic and compares it with its internal signature database to identify known attack patterns. An IPS engine might detect malicious traffic and drop it. It will then block all future traffic coming from the attacker’s port or IP address. Authentic traffic can be continued without disruption to service.

Intrusion prevention systems are capable of performing more complex observation and analysis such as analyzing suspicious packets or traffic patterns and reacting accordingly. There are many detection mechanisms.

Matching addresses
Matching HTTP string and substring
Matching generic patterns
Analyze of TCP connections
Anomaly detection in packets
Traffic anomaly detection
Port matching TCP/UDP

An IPS will usually record information about observed events, notify security personnel, and generate reports. An IPS can receive security and prevention updates to help protect a network.

Intrusion Countermeasures

Many IPS are able to actively prevent a threat from succeeding by responding to it. There are many response methods that they use, including:

Modifying the security environment, such as configuring firewalls to protect against previously unknown vulnerabilities.
Modifying the attack’s content, such as replacing malicious parts in an email with false links or warnings about the content being deleted.
Notifying system administrators of security breaches by sending automated alarms
Dropping any detected malicious packets.
Blocking traffic
Resetting a connection

IPS Classifications

There are four main types of intrusion prevention systems:

Network-based intrusion prevention systems (NIPS).
Analyze all protocol activity throughout the network looking for traffic that’s not trustworthy.
Wireless intrusion prevention system: This analyzes the network protocol activity across all wireless networks and looks for suspicious traffic.
HIPS (host-based intrusion prevention software): This is a secondary software package that monitors a single host and analyses events within it for malicious activity.
Network behavior analysis (NBA), which examines network traffic, identifies threats and identifies unusual traffic flows. Most common threats are distributed denial-of-service attacks, various types of malware, policy abuses, and other forms of malignant behavior. Pattern matching is used to detect attacks. You can avoid detection by making minor adjustments to the attack architecture.

IPS Detection Methods

Most intrusion prevention systems employ one of the following detection methods: signature-based or statistical anomaly-based.

Signature-based detection

Signature-based IDS monitors network packets and compares with attack patterns that have been predetermined, known as “signatures”.

Statistical detection, Anomaly based: An anomaly based IDS monitors network traffic and compares it to the expected traffic patterns. The baseline will determine what is normal for the network, such as what kind of packets are being sent through it and what protocols they use. If the baselines aren’t properly configured, it may raise false positive alarms for legitimate bandwidth use.

Stateful protocol analysis detection. This method detects protocol deviations through comparing observed events to pre-determined activity profiles.

Intrusion Prevention Systems: Why they are important

High levels of security are essential in modern networked business environments. This is to ensure that information can be trusted and communicated between organizations. A system intrusion prevention system is an adaptable technology that provides system security and protection to other technologies.