An IPS, or an Intrusion Prevention System, is a network security solution that performs traffic monitoring and identifies malicious traffic flows. An IPS is deployed in line with a computer’s network connection or at the perimeter of a protected network, enabling it to block or drop malicious connections.
How Do Intrusion Prevention Systems Protect the Network?
An IPS can use two different techniques to detect threats to the network:
- Signature Detection: Signature detection identifies known threats based on unique attributes, such as malicious IP addresses, domain names or data patterns. This approach offers high accuracy at detecting known threats but is blind to zero-day attacks.
- Anomaly Detection: Anomaly detection mechanisms use statistical analysis and machine learning to identify anomalies in network traffic that could indicate a threat to the protected network. For example, a large volume of connection requests to a server from various IP addresses may indicate a Distributed Denial of Service (DDoS) attack. Anomaly detection can identify unknown or zero-day threats but has higher potential for false positive detections.
This combination of detection mechanisms enables IPS to identify a range of threats within network traffic. Historically, an IPS has been deployed as part of a perimeter-based defensive system at the border of the enterprise network. This enables the IPS to see all traffic entering and leaving the network and to use its in-line deployment location to block malicious content from entering the enterprise network and prevent sensitive data or command and control traffic from leaving it.
What is a Network-based Intrusion Prevention System (NIPS)?
An IPS can be deployed in a few different ways. The most common deployment model for an IPS is as a network-based IPS (NIPS).
A NIPS is deployed to protect an entire network unlike a host-based IPS (HIPS), which protects a single computer. A NIPS is deployed at the network boundary alongside or as part of a network firewall. All traffic entering and leaving the protected network is inspected by the NIPS, and the NIPS has the ability to block connections or drop packets if malicious or suspicious content is detected.
A NIPS provides more scalable security than a HIPS because a single solution can protect an entire network and does not impact the performance of the protected systems. Since a HIPS is deployed on the protected device itself, it consumes CPU and memory, potentially degrading the system’s performance.
What are Network Intrusion Detection Systems (NIDS)?
Network intrusion detection systems (NIDS) provide a subset of the functionality available in a NIPS. They operate at the network level and use the same techniques to identify malicious content and traffic entering or leaving the protected network.
The primary difference between a NIDS and a NIPS is that a NIDS only provides threat detection with no prevention capabilities. If a NIDS identifies a potential attack, it generates an alert for the security team. Security analysts can then investigate the alert and take action to remediate the potential threat.
A NIPS provides superior protection and risk management compared to a NIDS. With a NIDS, malicious content is likely mitigated only after it reaches its destination rather than in transit. This provides a window for malware or an attacker to steal data, encrypt files, or cause other damage to an organization.
Network Intrusion Prevention Systems: Strengths and Limitations
A network intrusion prevention system can provide strong protection to an enterprise network. Some of the main advantages of a NIPS include:
- Threat Detection: A NIPS can use a combination of signature and anomaly detection to identify malicious content and other potential threats. This enables these systems to accurately identify known threats while also offering detection of novel attacks.
- Attack Prevention: An IPS is deployed in-line and has the ability to block or drop malicious connections. This enables it to prevent malicious traffic from entering or leaving the enterprise network, minimizing the risk to the company and the cost of remediation.
A NIPS is a vital component of a corporate cybersecurity strategy; however, some NIPS solutions have their downsides. Some of the potential limitations of a NIPS include:
- Localized Protection: NIPS are generally deployed at a network boundary and only monitor traffic and prevent attacks crossing that boundary. With the rise of remote work and cloud computing, these traditional perimeters are dissolving, making boundary-focused protection less effective.
- Requires Frequent Updates: The signature detection capabilities of a NIPS require a signature of a threat to identify it. To effectively protect against the latest attack campaigns, a NIPS must be frequently updated with new signatures.
- TLS/SSL Inspection Latency: Both legitimate and malicious web traffic is increasingly using TLS encryption. To inspect this traffic, a NIPS must perform TLS/SSL introspection, which requires significant resources and can increase traffic latency.
- Alert Volumes: The anomaly detection capabilities of a NIPS can produce false positive detections for traffic that is unusual but not malicious. This adds to the volume of alerts that security analysts must investigate, increasing the probability that true threats are lost in the noise.
Choosing the Right IPS Deployment
The standalone, perimeter-based NIPS was designed for traditional corporate networks and is increasingly ineffective at meeting the needs of the modern enterprise. As network perimeters dissolve, attempting to route all traffic through a NIPS for security inspection increases traffic latency and degrades network performance.
Secure Access Service Edge (SASE) solutions integrate IPS functionality alongside other critical network and security functions in a single cloud-based solution. With SASE, IPS capabilities can be deployed wherever they’re needed in a solution that minimizes overhead and offers optimal network performance. SASE also offers the other network security capabilities needed to protect against the threats that an IPS can’t.
A NIPS is still a valuable component of an enterprise network security strategy, but it needs to be implemented and deployed correctly. Learn more about what makes for a great IPS.