Table of contents
What is an Intrusion Prevention System?
An intrusion prevention system (IPS) is an automated network security device used to monitor and respond to potential threats. Like an intrusion detection system (IDS), an IPS determines possible threats by examining network traffic. Because an exploit may be carried out very quickly after an attacker gains access, intrusion prevention systems administer an automated response to a threat, based on rules established by the network administrator.
The main functions of an IPS are to identify suspicious activity, log relevant information, attempt to block the activity, and finally to report it.
IPS’s include firewalls, anti-virus software, and anti-spoofing software. In addition, organizations will use an IPS for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IPS have become an important component of all major security infrastructures in modern organizations.
How an IPS Works
An intrusion prevention system works by actively scanning forwarded network traffic for malicious activities and known attack patterns. The IPS engine analyzes network traffic and continuously compares the bitstream with its internal signature database for known attack patterns. An IPS might drop a packet determined to be malicious, and follow up this action by blocking all future traffic from the attacker’s IP address or port. Legitimate traffic can continue without any perceived disruption in service.
Intrusion prevention systems can also perform more complicated observation and analysis, such as watching and reacting to suspicious traffic patterns or packets. Detection mechanisms can include:
- Address matching
- HTTP string and substring matching
- Generic pattern matching
- TCP connection analysis
- Packet anomaly detection
- Traffic anomaly detection
- TCP/UDP port matching
An IPS will typically record information related to observed events, notify security administrators, and produce reports. To help secure a network, an IPS can automatically receive prevention and security updates in order to continuously monitor and block emerging Internet threats.
Many IPS can also respond to a detected threat by actively preventing it from succeeding. They use several response techniques, which involve:
- Changing the security environment — for example, by configuring a firewall to increase protections against previously unknown vulnerabilities.
- Changing the attack's content — for example, by replacing otherwise malicious parts of an email, like false links, with warnings about the deleted content.
- Sending automated alarms to system administrators, notifying them of possible security breaches.
- Dropping detected malicious packets.
- Resetting a connection.
- Blocking traffic from the offending IP address.
Intrusion prevention systems can be organized into four major types:
- Network-based intrusion prevention system (NIPS): Analyzes protocol activity across the entire network, looking for any untrustworthy traffic.
- Wireless intrusion prevention system (WIPS): Analyzes network protocol activity across the entire wireless network, looking for any untrustworthy traffic.
- Host-based intrusion prevention system (HIPS): A secondary software package that follows a single host for malicious activity, and analyzes events occurring within said host.
- Network behavior analysis (NBA): Examines network traffic to identify threats that generate strange traffic flows. The most common threats being distributed denial of service attacks, various forms of malware, and policy abuses. pattern matching to detect attacks. By making slight adjust to the attack architecture, detection can be avoided.
IPS Detection Methods
The majority of intrusion prevention systems use one of three detection methods: signature-based, statistical anomaly-based, and stateful protocol analysis.
- Signature-based detection: Signature-based IDS monitors packets in the network and compares with predetermined attack patterns, known as “signatures”.
- Statistical anomaly-based detection: An anomaly-based IDS will monitor network traffic and compare it to expected traffic patterns. The baseline will identify what is "normal" for that network — what sort of packets generally through the network and what protocols are used. It may however, raise a false positive alarm for legitimate use of bandwidth if the baselines are not intelligently configured.
- Stateful protocol analysis detection: This method identifies protocol deviations by comparing observed events with pre-determined activity profiles of normal activity.