Intrusion prevention systems (IPS) are security solutions designed to monitor network traffic and block malicious connections. They are very similar to an intrusion detection system (IDS), but their ability to block malicious traffic enables them to provide actual protection to the enterprise rather than generating security alerts for IT personnel to investigate and respond to. This dramatically reduces enterprise cybersecurity risk as malicious traffic is blocked before it reaches its destination.
Common Features of IPS Tools
An IPS is a crucial component of an enterprise security architecture. Three of the main functions of an IPS tools include:
- Threat Detection: An IPS can use various methods to detect malicious content within network traffic. These include signature detection, where traffic is compared to a database of identifiers of known threats, and anomaly detection, which uses machine learning to identify novel attacks.
- Attack Prevention: If an IPS detects a threat, it attempts to block the malicious traffic. This is possible because an IPS is deployed inline with traffic, so all packets must pass through it en route to their destination.
- Logging and Reporting: An IPS will generate alerts for security personnel that contain relevant information about detected threats. This enables follow-up investigations and can support remediation of undetected and unblocked threats.
Read more about protecting your network with IPS.
IPS Limitations To Be Aware Of
An IPS can be a valuable tool and provides protection against a range of threats; however, IPS solutions can have varying levels of effectiveness. Some of the most common limitations of IPS solutions include the following:
1. Limited Scope of Security
IPS solutions are designed to identify and prevent attacks. To do so, they need to be deployed in-line so that they can block identified malicious traffic.
This need for in-line deployment can dramatically restrict the scope of the IPS solution’s protection. Unless an organization routes all of its network traffic through the headquarters or datacenters’ network for inspection – which creates significant latency and performance impacts – the IPS can only monitor traffic that passes through the network boundary where it is deployed.
2. Resource Usage vs. Security Tradeoff
IPS solutions can use a few different methods for detecting malicious traffic. This includes using signature detection to identify the unique features of known threats and anomaly detection to detect abnormalities in network traffic that could indicate a potential attack.
These detection techniques can have significant resource requirements. For example, signature detection requires a database of known signatures that each packet is tested against. Doing so requires significant CPU cycles and memory.
Many IPS systems have resource constraints, forcing organizations to make tradeoffs between resource consumption and the set of IPS signatures to store and test. With the need to maintain acceptable latency while analyzing large volumes of traffic, organizations may choose to use restricted signature libraries that weaken enterprise security.
3. Maintenance Requirements
IPS solutions have high maintenance requirements. IPS solutions need to be kept patched and regularly updated with new sets of signatures to allow them to detect and block the latest threat campaign. Additionally, security personnel need to consistently monitor their IPS solutions to tweak rules and respond to any attacks that were not detected and blocked.
The effectiveness of an IPS solution depends on this maintenance and monitoring being performed regularly. If understaffed security teams fail to install a signature update or keep an eye on alerts, then an attacker may manage to gain access to enterprise systems undetected.
4. High False Positive Rates
IPS solutions must be tuned to create a balance between false positive and false negative detections. Systems configured to block any traffic that shows the slightest hint of being malicious will restrict legitimate traffic due to false positive detections, hurting productivity. At the other extreme, too relaxed of a security policy can result in true threats slipping through the cracks due to false negative detections.
Often, businesses will err on the side of ensuring that legitimate business traffic can go through to maintain productivity. As a result, IPS solutions are commonly configured to work in detection mode rather than prevention mode.
While this ensures that an IPS will not accidentally block legitimate traffic, enterprise security relies on the security team promptly identifying and responding to true threats. With high volumes of false positive alerts, true attacks often slip through the cracks as overwhelmed security teams investigate false positives or simply ignore alerts.
How to Choose the Right IPS Solution
With all of the limitations of IPS solutions, deploying an IPS may seem to bring little benefit to the organization. An IPS may require significant time and resources, only protect a fraction of the corporate resources, and may not even be able to block attacks from entering the corporate network.
However, these limitations apply primarily to hardware-based IPS solutions installed and managed in-house. A better approach is to deploy IPS functionality as part of a SASE solution, which solves all of these issues:
- Global Protection: All WAN and internet traffic is natively routed through a SASE PoP. This allows all traffic to be inspected and managed by the integrated IPS without sacrificing network performance.
- Cloud Scalability: SASE PoPs run a cloud-native software stack, which means that they can take advantage of the unlimited scalability of the cloud. This eliminates the tradeoff between resource consumption and security.
- Managed Security: SASE is available as a managed service. This outsources the responsibility for system maintenance and false positive management from the in-house security team to the SASE provider.
A SASE cloud delivering IPS functionality has optimal visibility and wider context than traditional IPS, enabling organizations to also achieve protection against the threats that a traditional IPS can’t catch. Learn more about what makes a great IPS or see for yourself how IPS-SASE integration supercharges IPS protection by signing up for a live demo of Cato Cloud.