Hi, everyone! Today I’m going to introduce what is an Intrusion Prevention System – IPS.
In short, an Intrusion Prevention System (IPS), also known as intrusion detection prevention system (IDPS), is a technology that keeps an eye on a network for any malicious activities attempting to exploit a known vulnerability.
An Intrusion Prevention System’s main function is to identify any suspicious activity and either detect and allow (IDS) or prevent (IPS) the threat. The attempt is logged and reported to the network managers or Security Operations Center (SOC) staff.
An IPS is used to identify malicious activity, record detected threats, report detected threats, and take preventative action to stop a threat from doing damage. An IPS tool can be used to continually monitor a network in real-time.
Intrusion prevention is a threat detection method that can be utilized in a secure environment by system and security administrators. These tools are useful for systems as a prevention action for observed events. In addition, with many potential ways that suspicious activity can occur, it is important to have a plan in place for detecting potential attacks.
An intrusion prevention system is made to expand on the base capabilities found in intrusion detection systems (IDSes).
Why should Intrusion Prevention Systems be used?
IPS technologies can detect or prevent network security attacks such as brute force attacks, Denial of Service (DoS) attacks, and vulnerability exploits. A vulnerability is a weakness in a software system and an exploit is an attack that leverages that vulnerability to gain control of a system. When an exploit is announced, there is often a window of opportunity for attackers to exploit that vulnerability before the security patch is applied. An Intrusion Prevention System can be used in these cases to quickly block these attacks.
Because IPS technologies watch packet flows, they can also be used to enforce the use of secure protocols and deny the use of insecure protocols such as earlier versions of SSL or protocols using weak ciphers.
How do Intrusion Prevention Systems work?
IPS technologies have access to packets where they are deployed, either as Network intrusion detection systems (NIDS) or as Host intrusion detection systems (HIDS). Network IPS has a larger view of the entire network and can either deployed inline in the network or offline to the network as a passive sensor that receives packets from a network TAP or SPAN port.
The detection method employed may be signature or anomaly-based. Predefined signatures are patterns of well-known network attacks. The IPS compares packet flows with the signature to see if there is a pattern match. Anomaly-based intrusion detection systems use heuristics to identify threats, for instance comparing a sample of traffic against a known baseline.
An intrusion prevention system will work by scanning through all network traffic. To do this, an IPS tool will typically sit right behind a firewall, acting as an additional layer that will observe events for malicious content. In this way, IPS tools are placed in direct communication paths between a system and network, enabling the tool to analyze network traffic.
The following are three common approaches for an IPS tool to protect networks:
signature-based detection in which the IPS tool uses previously defined attack signatures of known network threats to detect threats and take action;
anomaly-based detection in which the IPS searches for unexpected network behavior and blocks access to the host if an anomaly is detected; and
policy-based detection in which the IPS first requires administrators to make security policies -- when an event occurs that breaks a defined security policy, an alert is sent to system administrators.
If any threats are detected, an IPS tool is typically capable of sending alerts to the administrator, dropping any malicious network packets, and resetting connections by reconfiguring firewalls, repackaging payloads, and removing infected attachments from servers.
IPS tools can help fend off denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, worms, viruses, or exploits, such as a zero-day exploit. According to Michael Reed, formerly of Top Layer Networks (acquired by Corero), an effective intrusion prevention system should perform more complex monitoring and analysis, such as watching and responding to traffic patterns, as well as individual packets. "Detection mechanisms can include address matching, HTTP [Hypertext Transfer Protocol] string and substring matching, generic pattern matching, TCP [Transmission Control Protocol] connection analysis, packet anomaly detection, traffic anomaly detection, and TCP/UDP [User Datagram Protocol] port matching."
Types of intrusion prevention systems
Three types of intrusion prevention systems appear commonly. These types are the following:
network behavior analysis (NBA), which analyzes network behavior for abnormal traffic flow -- commonly used for detecting DDoS attacks;
network-based intrusion prevention system (NIPS), which analyzes a network to look for suspicious traffic -- typically surrounding protocols;
host-based intrusion prevention systems (HIPS), which are installed in a single host and used to analyze suspicious activity in one specific host.
In addition, there are other types of IPS tools, including ones that analyze wireless networks. Broadly speaking, however, an intrusion prevention system can be said to include any product or practice used to keep attackers from gaining access to your networks, such as firewalls and antivirus software.
Benefits of intrusion prevention systems
Benefits of intrusion prevention systems include the following:
lowering the chances of security incidents;
providing dynamic threat protection;
automatically notifying administrators when suspicious activity is found;
mitigating attacks such as zero-day threats, DoS attacks, DDoS attacks, and brute-force attack attempts;
reducing maintenance of networks for IT staff; and
allowing or denying specific incoming traffic to a network.
Disadvantages of intrusion prevention systems
Disadvantages to intrusion prevention systems include the following:
When a system blocks abnormal activity on a network assuming it is malicious, it may be a false positive and lead to a DoS to a legitimate user.
If an organization does not have enough bandwidth and network capacity, an IPS tool could slow a system down.
If there are multiple IPSes on a network, data will have to pass through each to reach the end-user, causing a loss in network performance.
IPS may also be expensive.
What’s the difference between IDS and IPS?
Early implementations of the technology were deployed in detect mode on dedicated security appliances. As the technology has matured and moved into integrated Next-Generation Firewall or UTM devices, the default action is set to prevent malicious traffic.
In some cases, the decision to detect and accept or prevent the traffic is based upon confidence in the specific IPS protection. When there is lower confidence in an IPS protection, then there is a higher likelihood of false positives. A false positive is when the IDS identifies an activity as an attack but the activity is acceptable behavior. For this reason, many IPS technologies also have the ability to capture packet sequences from the attack event. These can then be analyzed to determine if there was an actual threat and to further improve the IPS protection.
This is what I want to talk about/share with you today, thank you!
