What is an Intrusion Prevention System (IPS)?
An intrusion prevention system (IPS) is a network security technology that monitors network traffic and blocks malicious content. An IPS provides protection against a wide range of cyber threats such as ransomware, lateral movement, vulnerability exploitation and other attacks. However, an IPS is only one component of an enterprise security architecture, and choosing the right IPS is vital for corporate cybersecurity.
How Does an Intrusion Prevention System Work?
An IPS sits in line with traffic flows and inspects all traffic before permitting it to continue on to its destination. An IPS can use signature-based analysis, anomaly detection, and machine learning to identify potential malicious content within a connection.
If an IPS detects a potential attack, it sends an alert to the IT department. However, as the P in its name suggests, an IPS can also prevent attacks. Its position in-line with traffic flows enables it to drop malicious packets, block traffic, and reset connections that it believes pose a threat to the organization.
IPS vs IDS – What is the Difference?
IPS and IDS (intrusion detection system) are similar acronyms, and the two tools have similar functionality. However, the capabilities of an IDS are a subset of those of an IPS.
IDS predates IPS, and these solutions were focused on identifying attacks, not preventing them. An IDS has similar network monitoring and threat detection capabilities, but it will only generate an alert if malicious traffic is detected. An IDS only serves as an early warning system for an attack. The IT team must respond to the alert and take action to mitigate or remediate a threat. Since an IPS can block malicious traffic from reaching its destination, it provides superior protection and eliminates the cost and damage caused by a potential threat.
IPS Deployment Models
An IPS is intended to protect a network or system by blocking malicious traffic from entering it. An IPS can operate under a couple of different deployment models, including:
- On-Premises: Legacy IPS are deployed on-premises at the perimeter of the enterprise network. These solutions are bound to a particular geographic location and can only inspect and filter traffic to that network.
- Cloud-Based: Modern IPS are increasingly deployed as part of a firewall as a service (FWaaS) offering. These cloud-based services are geographically distributed and can inspect traffic from all edges and to all resources.
Types of Intrusion Prevention Systems
IPS can come in a few different forms. The main IPS types include:
- Network-based intrusion prevention system (NIPS): NIPS are deployed at the network level. They are intended to detect and block threats to all systems in the protected network.
- Host-based intrusion prevention system (HIPS): HIPS are installed on a particular endpoint. It monitors traffic only to and from that endpoint.
- Network behavior analysis (NBA): A NBA solution looks for anomalous traffic flows within a network. For example, it may detect and respond to a network scanner based on a large volume of connection requests to various ports.
- Wireless intrusion prevention system (WIPS): A WIPS primarily acts as an access control mechanism on a wireless network. It detects and terminates unauthorized devices’ access to the network
Legacy IPS is Complex to Manage
Legacy IPS are often deployed as a standalone solution. An IPS appliance, physical or virtual, is deployed alongside other security solutions at the enterprise network perimeter. All network traffic entering or leaving the enterprise network – or routed through it for security inspection – passes through all of these devices before being sent on to its destination.
An IPS – and many other security solutions – require frequent management and updates. As threats evolve, IPS require signature updates to catch the latest attack campaigns. Individually managing each of an organization’s IPS and all of its other security solutions is complex and unscalable as corporate IT infrastructure grows and expands.
How to Choose IPS Solutions
An IPS is a vital component of an enterprise security strategy. However, choosing the wrong IPS can leave the IT team struggling with a complex, unscalable, and ineffective security architecture. Some key features to look for when seeking an IPS include:
- Frequent Updates: The role of an IPS is to identify and block attempted exploits, which means that it needs to be aware of the latest vulnerabilities, threats, and attack campaigns. An IPS should be designed to allow updates, signatures, and patches to be quickly rolled out to all solutions, enabling it to detect and block evolving threat campaigns.
- Minimal False Positives: The IPS should be able to inspect traffic based on the full scope of signatures it has, with minimal false positives, minimal maintenance and maximal efficacy. This enables security personnel to focus efforts on true threats and other core duties.
- Unlimited Compute Resources: Appliance-based have compute resources limited by their hardware, which limits their scalability and effectiveness. In contrast, an IPS that is cloud-native has no compute limitations which may prevent it from performing a full traffic inspection.
- Efficient TLS Decryption: As a growing percentage of Internet traffic becomes encrypted, the ability to decrypt and inspect TLS encrypted traffic streams is essential to the role of an IPS. Standalone security solutions often individually decrypt and inspect packets, creating significant latency. An IPS should be integrated with other security solutions to enable rapid, one-time traffic decryption that meets the needs of the entire security stack.
- Distributed Security: Legacy IPS solutions were commonly deployed under a perimeter-focused model that protected the enterprise datacenter. As cloud computing, remote work, mobile devices, and the Internet of Things (IoT) dissolve the network perimeter, security needs to be available wherever it is needed. IPS must be deployed in the cloud where it is accessible to all of an organization’s devices and IT resources.
- Converged Security: Historically, companies have deployed an array of standalone security solutions that are difficult to effectively monitor and manage. As a result, true threats slip through the cracks while analysts are deluged in false-positive alerts. An IPS should be deployed as part of an integrated security stack that enables centralized monitoring and management from a single console.
Secure Access Service Edge (SASE) is the only solution that provides IPS functionality in a way that meets enterprise security needs. Read our blog to learn more about choosing the right IPS solution.