Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is an Intrusion Prevention System?

Intrusion Prevention System

An Intrusion Prevention System (IPS) is a network security solution that is designed to continuously monitor network traffic for malicious activity. An IPS is essentially a more advanced Intrusion Detection System (IDS), which can detect and report on security threats.

However, an IPS can also respond to security threats. An Intrusion Prevention System can be installed as a stand-alone solution, either as hardware or software or included as a part of a next-generation firewall (NGFW) or unified threat management (UTM) solution.

How Does an Intrusion Prevention System Work?

An Intrusion Prevention System usually sits between the firewall and the other endpoints on the network and uses several techniques to identify malicious traffic:

Signature-based

This is where network traffic is analyzed for signatures that match well-known threats. Bear in mind that this method can’t work with brand-new attack vectors.

Anomaly-based

This technique identifies anomalies by comparing the traffic patterns with a pre-defined baseline. Some of the more sophisticated solutions use AI/machine learning techniques to learn typical traffic patterns, which can be tested to identify anomalous activity.

Policy-based

This technique will block any traffic that violates the policies set up by the security team and is less common than the previous two techniques. In some cases, the administrator will setup a “honeypot”, which contains fake data, in order to identify suspicious traffic.

All of the techniques above will make use of automation to detect, block and alert on anomalous traffic, or reset the connection.

Types of Intrusion Prevention Systems

There are four main types of Intrusion Prevention systems, and each of which has a slightly different purpose:

Network intrusion prevention system (NIPS)

This type of Intrusion Prevention System will sit behind the firewall and monitor all network traffic.

Host intrusion prevention system (HIPS)

HIPS is installed on endpoints, and only monitors traffic that flows to and from the endpoints they are installed on. Using NIPS and HIPS together will provide a more holistic and detailed view of your network’s security posture.

Network behavior analysis (NBA)

An NBA solution is designed to work alongside an Intrusion Prevention System to provide enhanced visibility over network traffic. NBA is able to use both signature and anomaly detection to detect activities that would otherwise be missed by the IPS solution. They also have the ability to map a user to an IP address, which can help with forensic analysis.

Wireless intrusion prevention system (WIPS)

This type of IPS is designed to scan Wi-Fi networks for unauthorized access and devices, and block/report them accordingly.

What are the Benefits of an Intrusion Prevention System?

Enhanced visibility

Using an IPS will give you more visibility over the way your network is being accessed and used. This will make it easier to comply with the relevant data privacy laws, such as GDPR, HIPAA, and PCI-DSS.

Increased productivity

Since IPS solutions are mostly automated and filter out malicious traffic before it reaches the endpoints on your network, security teams will have less work to do, thus allowing them to focus on more productive endeavors.

More customized security

Using custom security policies with your IPS solution will enable you to set up security controls that are more relevant to your organization.

Why is an Intrusion Prevention System Important?

As the number of access points in a network grows, so does the attack surface. To make matters worse, attack vectors are becoming increasingly more sophisticated. It would be infeasible to adequately monitor and regulate inbound and outbound traffic flows manually. As such, it is important to automate as many security tasks as possible, in order to take some of the pressure off IT teams.

An intrusion prevention system is just one of the many security solutions enterprises should have in place to keep their networks secure, and these solutions should ideally communicate with each other, or at least make their event logs accessible to other applications. The IPS typically sits behind the firewall, and will filter out threats that the firewall (and your antivirus solution) couldn’t detect. As mentioned above, you can also use HIPS, NBA, and WIPS solutions for added visibility.

Once traffic has been allowed to flow through your network perimeters, the focus then shifts towards user behavior analytics (UBA), which is about monitoring access to privileged accounts and sensitive data.

If you like to know how Lepide can help with intrusion prevention, schedule a demo with one of our engineers.