Intrusion Prevention Systems explained: what is an IPS?

February 4, 2021  |  Nick Cavalancia

This article was written by an independent guest author.

The goal of every cybersecurity strategy is to stop cyberthreats before they have a material impact. This has resulted in many organizations seeking to be more proactive in their response to potential threats by employing solutions to detect and prevent specific types of cyberattacks by monitoring for the earliest indicators of attacks found within network traffic.

Nearly every type of cyberattack (with the exception of malware-less phishing attacks that rely solely on social engineering) includes some use of network communications as part of the attack to retrieve commands, perform actions, authenticate, or otherwise interact with external hosts. For that reason, the idea of watching network traffic for leading indicators of threat activity has stemmed an evolution of network monitoring to be used specifically for detecting threatening network activity. And by adding in the ability to respond to detected threats in network traffic, the result is intrusion prevention systems.

What is an intrusion prevention system?

An Intrusion Prevention Systems (commonly referred to as IPS) is a form of network security that continuously monitors network traffic entering and leaving your organization’s network. It watches for potentially suspicious and/or malicious traffic, alerts IT and security staff, and then takes action to stop the suspect traffic from continuing.

IPS solutions are also used to identify and remediate internal violations of corporate security policy by employees and network guests. But, considering the frequency and intensity of external cyberattacks today, the more prevalent use of IPS is to protect against external attacks.

Some of the more common attacks IPS security solutions are used to stop include brute force attacks, denial of service attacks, and attacks seeking to exploit known vulnerabilities in internal systems. IPS performs real-time deep packet inspection, examining every packet that traverses your network. Its methods of detection can be either signature-based (where network packets match a known malicious pattern) or anomaly-based (where an instance of traffic is unusual or has never been seen, such as communications to an IP address in a remote part of the world from an internal endpoint).

Should malicious or suspicious traffic be detected, the IPS can utilize any one of the following actions:

  • Network sessions can be terminated, blocking the malicious source IP address and user accounts from continuing to communicate with a given internal application, resource, or network host, preventing a detected attack from continuing
  • Firewall policies and/or configurations can be updated to prevent this kind of attack from happening in the future, as well as preventing the offending source IP address from having access to internal hosts
  • Malicious content that continues to reside within the corporate network – such as infected attachments within email – can also be removed or replaced by IPS solutions

How IDS compares to IPS

In addition to IPS, there are also intrusion detection systems (IDS) that are often mentioned in the same breath. However, these solutions do not produce the same end result.  The difference is found in their names. IDS merely detects and notifies IT, security teams, or a SIEM solution. IPS detects, but also takes action to protect the network from further abuse and attacks.

The challenge with only using an IDS solution is the lack of immediacy with regard to response. With internal staff only notified of a detected threat, lag times can exist from the pure human response (or lack thereof) element. IT or Security staff need to first determine an appropriate response (that is, what new configuration or change should be made to remediate the threat), and additional lag may come from a potential lack of integration with firewall or other systems that need to be modified in response to a detected threat.

How IPS technology has evolved

IPS initially began as a separate technology from firewalls back in the early 2000s, as firewalls did not have deep packet inspection (DPI) capabilities. So IPS sat in line with the firewall, monitoring traffic and performing its own protective measures. But, because early successful IPS solutions relied heavily on maintaining a signature database – much like antivirus vendors – the process of inspecting traffic came with a few problems. First, DPI-based matching was a process that could slow down network traffic and, second, there was a large concern for blocking legitimate traffic.

Later iterations of IPS solutions (dubbed “next-generation IPS”) addressed these problems through faster inspection, the use of machine learning for detection, and the addition of user and application control, where only certain accounts can access some or all of an application.

Eventually IPS found its way into next-generation firewalls (NGFW), empowering IPS to take even more actions based on DPI and user activity, including blocking known malware, configuring URL filtering, and reconfiguring VPNs and the firewall itself. In addition, the improvements around user and application-based security allowed organizations to include internal compliance with security policies as aspect of the overall security strategy that could be monitored, detected, and enforced. 

The benefits of the next-gen firewall

When considering implementing IPS, it’s important to consider a next-gen firewall.  Most NGFWs incorporate IPS technology (thereby eliminating the need for a separate solution), while also offering a number of benefits to the organization, including improved network security, elevated user productivity, better bandwidth management and optimization, simplified management, and lower total cost of ownership. Traditional firewalls merely focus on filtering traffic into and out of the corporate network, while NGFWs assist in addressing the specific cyberattacks on applications with its DPI and IPS capabilities.

The concerns of IPS are tightly interwoven with that of an NGFW, making it an extremely viable choice for most organizations wanting to improve their preventative stance against cyberthreats while improving adherence to corporate security policy.

Share this with others