An intrusion prevention system (IPS) – sometimes referred to as an intrusion detection prevention system (IDPS) – is a network security technology and key part of any enterprise security system that continuously monitors network traffic for suspicious activity and takes steps to prevent it. Largely automated, IPS solutions help filter out this malicious activity before it reaches other security devices or controls, effectively reducing the manual effort of security teams and allowing other security products to perform more efficiently. Show
IPS solutions are also very effective at detecting and preventing vulnerability exploits. When a vulnerability is discovered, there is typically a window of opportunity for threat actors to exploit it before a security patch can be applied. An intrusion prevention system is used here to quickly block these types of attacks. IPS appliances were originally built and released as stand-alone devices in the mid-2000s. This functionality, however, has been integrated into unified threat management (UTM) solutions for small and medium-sized companies as well as next-generation-firewalls at the enterprise level today. Next-generation IPS solutions are now connected to cloud-based computing and network services that enable them to provide a sophisticated approach to protect against ever-increasing cybersecurity threats facing local and global organizations worldwide. How Intrusion Prevention WorksUnlike its predecessor the intrusion detection system (IDS) – which is a passive system that scans traffic and reports back on threats – the IPS is placed inline, directly in the flow of network traffic between the source and destination. Usually sitting right behind the firewall, the solution is actively analyzing and taking automated actions on all traffic flows that enter the network. These actions can include:
As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near-real time and be able to detect and respond accurately so as to eliminate threats and false positives (i.e., legitimate packets misread as threats). To do this successfully, there are several techniques used for finding exploits and protecting the network from unauthorized access. These include:
Types of Intrusion Prevention SystemsThere are several types of IPS solutions, which can be deployed for different purposes. These include:
Deep Learning for Evasive Threat DetectionTo protect against the increase of sophisticated and evasive threats, intrusion prevention systems should deploy inline deep learning, which significantly enhances detections and accurately identifies never-before-seen malicious traffic without relying on signatures. Similar to the way neural networks function in our brains, deep-learning models go through several layers of analysis and process millions of data points in milliseconds. These sophisticated pattern recognition systems analyze network traffic activity with unparalleled accuracy, identifying never-before-seen malicious traffic inline with extremely low false-positive rates. This additional layer of intelligent protection that can be used by an IPS solution provides further protection of business's sensitive information and prevents sophisticated attacks that can paralyze an organization. To learn more about how IPS solutions work within a security infrastructure, check out this paper: Palo Alto Networks Approach to Intrusion Prevention. Network administrators need to employ tools to protect their network and prevent malicious actors from gaining access. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are categories of tools commonly used for this purpose. It’s important to know the difference between them, which are best for certain types of organizations, and how to maximize their effectiveness. In this article, we’ll go over the differences between the two systems to help you decide which is best for your organization. Basic overview: IDS vs. IPSAn intrusion detection system is more of an alerting system that lets an organization know if anomalous or malicious activity is detected. An intrusion prevention system takes this detection a step forward and shuts down the network before access can be gained or to prevent further movement in a network. What is an IDS? Five types and their functionsAn IDS monitors and detects behavior across a network and should be considered a diagnostic solution. The system, if it detects something problematic, will alert the security team so they can investigate. The five types of IDS leverage two types of detections:
This kind of system often looks for indicators of compromise such as scanning file hashes, traffic going to known malicious domains, malicious byte sequences, and even email subject lines that are known phishing attacks.
Anomaly-based detection is often looking for behavior that differs from an established baseline. For example, if you have set normal working hours for employees, an anomaly-based IDS may flag a login occurring over the weekend. The system may also alert you based on the amount of traffic connecting to your network, or new devices being added without the right authorization. IDS types vary based on where they’re monitoring threats and how they’re detecting them. 1. Network intrusion detection systems (NIDS)A network intrusion detection system will monitor traffic through various sensors — placed either via hardware or software — on the network itself. The system will then monitor all traffic going through devices across the multiple sensor points. 2. Host intrusion detection systems (HIDS)A HIDS is placed directly on devices to monitor traffic, giving network administrators a bit more control and flexibility. However, this can become burdensome depending on the organization’s size. If an organization is only leveraging HIDS, the company would have to account for every new device added within the organization, leaving room for error while also taking up a lot of time. 3. Protocol-based intrusion detection systems (PIDS)A protocol-based IDS is often placed at the front of a server and monitors traffic flowing to and from devices. This is leveraged to secure users browsing the internet. 4. Application protocol-based intrusion detection systems (APIDS)An APIDS is similar to a protocol-based system but monitors traffic across a group of servers. This is often leveraged on specific application protocols to specifically monitor activity, helping network administrators better segment and classify their network monitoring activities. 5. Hybrid intrusion detection systemsHybrid IDS solutions provide a combination of the above types of intrusion detection. Some vendors' offerings cross multiple categories of IDS to cover multiple systems in one interface. What is an IPS? Four types and how they workAn IPS has the same functionality as IDS systems in terms of detection but also contains response capabilities. An IPS solution has more agency and takes action when a potential attack, malicious behavior, or an unauthorized user is detected. The specific functions of an IPS depend on the type of solution, but in general, having an IPS in place is helpful to automate actions and contain threats without the need for an administrator. 1. Network-based intrusion prevention system (NIPS)A NIPS monitors and protects an entire network from anomalous or suspicious behavior. This is a broad-based system that can be integrated with additional monitoring tools to help provide a comprehensive view of an organization’s network. 2. Wireless intrusion prevention system (WIPS)WIPS are also quite common, often monitoring any wireless networks owned by an organization. This type is similar to a NIPS but is localized to wireless networks for a more targeted detection and response. 3. Host-based intrusion prevention system (HIPS)HIPS are often deployed on key devices or hosts that an organization needs to secure. The system will then monitor all traffic flowing through and from the host to detect malicious behavior. 4. Network behavioral analysis (NBA)As opposed to NIPS, an NBA solution will look for anomalous behavior within patterns of a network itself, making it key for detecting incidents such as DDoS attacks, behaviors against the policy, and other types of malware. IDS vs. IPS: Similarities and differencesAn IDS and an IPS are quite similar, particularly because of their similar detection process. However, their differences will dictate whether an organization opts for one over the other. IDS and IPS similaritiesAcross the two solutions, you can expect a similar level of:
IDS and IPS differencesDepending on how resourced your security team is, the differences between the systems can be very important:
Why both IDS and IPS solutions are critical for cybersecurityOrganizations shouldn’t necessarily consider choosing one solution over another; both are extremely helpful and many vendors offer an intrusion detection and prevention system, or IDPS, as a solution that provides the benefits of both systems. Detection and response capabilities have proven to be crucial for organizations to not only know when an attack has reached their perimeter but also to act accordingly. By employing effective detection and response solutions, companies are catching bad actors and reducing dwell time, minimizing the impact these actors can have. Security leaders should have an understanding of their organization’s needs as well as a list of what data requires monitoring before choosing the right IDS and/or IPS solution. They should also take stock of their own security department to determine whether they want an automated solution, they have an agency to react accordingly, or they’d prefer to have a hybrid approach. We recommend leveraging both systems or a combination IDPS for effective protection. As organizations grow and scale, additional IDS/IPS solutions may be brought on to account for additional servers, networks, or devices. For a deeper look at network security and how you can enhance it, Varonis Edge has solutions to explore. |