DeMISTIfying Infosec: Intrusion Prevention System

March 29, 2016
By Katherine Teitler

Intrustion Prevention System

The intrusion prevention system, or IPS, was first introduced in the mid-2000s. It is a rules-based network security appliance that monitors network traffic for anomalous or malicious activity. An IPS is used to identify potential threats, intrusions, or policy violations; log events; and report and/or block potentially malicious traffic.

IPSs are typically paired with intrusion detection systems (IDS) but differ in their capabilities; an IPS is placed in-line—in the direct path of communication from source to destination—and can send alerts, drop malicious packets, reset connections, and/or block traffic from the potentially harmful IP address. The main difference between an IPS and an IDS is that an IPS can deny traffic whereas an IDS cannot (i.e., the former is active and the latter, passive).

Some IPSs can also change the configuration of security controls to disrupt an attack, or remove or replace malicious portions of an attack. For example, some IPS devices can automatically (based on their configuration, determined by a network administrator) remove the infected attachment from an email, delivering only the email text, and mitigating an exploit. The main detection methods of IPSs are signature-based, statistical anomaly-based, and stateful protocol analysis.

One of the pitfalls of IPSs is that they're not human and can't understand Web application protocol logic and can therefore produce false positives or fail to detect an attack, especially those without signatures.

Today, most IPSs are implemented as part of Unified Threat management solutions (for SMBs) and next-generation firewalls (for enterprises).

prestitial ad