Intrusion Prevention System (IPS)

An Intrusion Prevention System is also known as an Intrusion Detection and Prevention System. It is a network security application that monitors network or system activities for malicious activity. The major functions of intrusion prevention systems are to identify malicious activity, collect information about it, report it, and attempt to block or stop it. 

Intrusion prevention systems are contemplated as an augmentation of Intrusion Detection Systems (IDS) because both IPS and IDS monitor network traffic and system activities for malicious activity. 

An IPS typically records information related to observed events, notifies security administrators of important events, and produces reports. Many IPS can also respond to a detected threat by attempting to prevent it from succeeding. They use various response techniques, such as stopping the attack itself, changing the security environment, or altering the attack's content.

How Does an IPS Work?

An IPS works by analyzing network traffic in real-time and comparing it against known attack patterns and signatures. When the system detects suspicious traffic, it blocks it from entering the network.

1. Inline Deployment

An IPS is placed directly in the path of network traffic between your internal network and the internet or right behind a firewall. This position allows it to inspect every packet that flows through and immediately block anything suspicious before it causes harm.

2. Traffic Preprocessing

Before deep inspection begins, the IPS organizes the raw data:

• It normalizes traffic formats to prevent attackers from hiding threats using clever encoding tricks.
• It reassembles fragmented packets so that no data is missed.

3. Layered Packet Inspection

The IPS doesn’t just look at surface-level information. This “deep packet inspection” helps the IPS understand both the technical structure and the intent behind the traffic. It dives into:

• Network layer: Where packets come from and where they're going.
• Transport layer: How reliable or suspicious the connection looks.
• Application layer: What kind of data is being transmitted — like login info or file transfers.

4. Detection Mechanisms

Once packets are unpacked and understood, the IPS checks them using different techniques:

• Signature-Based Detection: Matches traffic against known attack patterns (like a fingerprint database).
• Anomaly-Based Detection: Flags anything that deviates from normal behavior — like an unusual spike in traffic.
• Behavior-Based Detection: Watches for odd or suspicious actions over time, such as repeated failed logins.
• Policy-Based Detection: Uses rules set by administrators — for example, blocking specific file types or countries.

5. Automated Response Actions

If the IPS detects a threat, it can act instantly:

• Drop malicious packets
• Block the source IP
• Terminate sessions
• Trigger alerts or logs
• Update firewall rules

6. Tuning and Maintenance

An effective IPS isn't a “set it and forget it” system. It needs regular updates and fine-tuning to:

• Keep up with evolving threats
• Reduce false positives (blocking safe traffic by mistake)
• Optimize performance under heavy loads

Types of IPS

There are two main types of IPS:

1. Network-Based IPS: Installed at the network perimeter, it monitors all traffic entering and exiting the network.
2. Host-Based IPS: Installed on individual hosts, it monitors traffic flowing in and out of the host.

Why Do You Need an IPS?

An IPS is an essential tool for network security. Here are some reasons why:

• Protection Against Known and Unknown Threats: An IPS can block known threats and also detect and block unknown threats that haven't been seen before.
• Real-Time Protection: An IPS can detect and block malicious traffic in real-time, preventing attacks from doing any damage.
• Compliance Requirements: Many industries have regulations that require the use of an IPS to protect sensitive information and prevent data breaches.
• Cost-Effective: An IPS is a cost-effective way to protect your network compared to the cost of dealing with the aftermath of a security breach.
• Increased Network Visibility: An IPS provides increased network visibility, allowing you to see what's happening on your network and identify potential security risks.

Classification of Intrusion Prevention System (IPS):

Intrusion Prevention System (IPS) is classified into 4 types: 

• Network-based intrusion prevention system (NIPS):  It monitors the entire network for suspicious traffic by analyzing protocol activity. 
• Wireless intrusion prevention system (WIPS):  It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. 
• Network behavior analysis (NBA):  It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service attacks, specific forms of malware and policy violations. 
• Host-based intrusion prevention system (HIPS):  It is a built-in software package that monitors a single host for suspicious activity by scanning events that occur within it. 
  

Comparison of Intrusion Prevention System (IPS) Technologies:

Comparison of IPS with IDS: 

The main difference between an Intrusion Prevention System (IPS) and an Intrusion Detection System (IDS) is: 

1. Intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. 
2. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address. 
3. An IPS can also correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.