What is an Intrusion Prevention System?

5 min. read

Largely automated, IPS solutions help filter out malicious activity before it reaches other security devices or controls. This reduces the manual effort of security teams and allows other security products to perform more efficiently.

IPS solutions are also very effective at detecting and preventing vulnerability exploits. When a vulnerability is discovered, there is typically a window of opportunity for exploitation before a security patch can be applied. An intrusion prevention system is used here to quickly block these types of attacks.

IPS appliances were originally built and released as stand-alone devices in the mid-2000s. This functionality has been integrated into unified threat management (UTM) solutions as well as Next-Generation Firewalls. Next-generation IPS solutions are now connected to cloud-based computing and network services.

How Intrusion Prevention Systems Work

The IPS is placed inline, directly in the flow of network traffic between the source and destination. This is what differentiates IPS from its predecessor, the intrusion detection system (IDS). Conversely, IDS is a passive system that scans traffic and reports back on threats.

Usually sitting right behind the firewall, the solution analyzes all traffic flows that enter the network and takes automated actions when necessary.

These actions can include:

  • Sending an alarm to the administrator (as would be seen in an IDS)
  • Dropping the malicious packets
  • Blocking traffic from the source address
  • Resetting the connection
  • Configuring firewalls to prevent future attacks

Diagram an intrusion prevention system

As an inline security component, the IPS must be able to:

  • Work efficiently to avoid degrading network performance
  • Work fast, because exploits can happen in near-real time
  • Detect and respond accurately to eliminate threats and false positives (i.e., legitimate packets misread as threats).

To do this successfully, there are several techniques used for finding exploits and protecting the network from unauthorized access. These include:

  • Signature-based detection is a detection method based on a dictionary of uniquely identifiable patterns (or signatures) in the code of each exploit. As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two types:
    • Exploit-facing signatures identify individual exploits by triggering on the unique patterns of a particular exploit attempt. The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream.
    • Vulnerability-facing signatures are broader signatures that target the underlying vulnerability in the system that is being targeted. These signatures allow networks to be protected from unidentified. They also raise the risk of false positives.
  • Anomaly-based detection takes samples of network traffic at random and compares them to a pre-calculated baseline performance level. When the traffic activity is outside the parameters of baseline performance, the IPS takes action.
  • Policy-based detection requires system administrators to configure security policies based on an organization’s security policies and network infrastructure. If any activity occurs that breaks a defined security policy, an alert is triggered and sent to the admins.

Types of Intrusion Prevention Systems

There are several types of IPS solutions, which can be deployed for different purposes. These include:

  • Network based intrusion prevention system (NIPS), which is installed at strategic points to monitor all network traffic and scan for threats.
  • Host intrusion prevention system (HIPS), which is installed on an endpoint and looks at inbound/outbound traffic from that machine only. Often combined with NIPS, an HIPS serves as a last line of defense for threats.
  • Network behavior analysis (NBA) analyzes network traffic to detect unusual traffic flows and spot new malware or zero-day vulnerabilities.
  • Wireless intrusion prevention system (WIPS) scans a Wi-Fi network for unauthorized access and removes any unauthorized devices.

The Benefits of Intrusion Prevention Systems

An intrusion prevention system comes with many security benefits:

  • Reduced business risks and additional security
  • Better visibility into attacks, and therefore better protection
  • Increased efficiency allows for Inspection of all traffic for threats
  • Less resources needed to manage vulnerabilities and patches

Critical Features of an IPS

An IPS is a critical tool for preventing some of the most threatening and advanced attacks. Look for the following capabilities in your chosen IPS:

  • IPS vulnerability protection
    Application vulnerabilities are a common initial step in the attack lifecycle for breaches, infections, and ransomware. While the number of vulnerabilities reported continues to increase every year, it only takes one vulnerability for adversaries to gain access to an organization.

    Critical vulnerabilities in applications, such as Apache Struts, Drupal, remote access, VPN, Microsoft Exchange, Microsoft SMB, OS,browsers, and IoT systems, continue to be the top attempted exploited vulnerabilities against organizations.

    Vulnerability exploitation and RDP compromise are two primary ways adversaries gain access to businesses and launch ransomware attacks. This makes vulnerability protection an essential part of security.

  • Antimalware protection
    A stream-based scanning engine detects known malware and its unknown variations, and then blocks them inline at high speeds. IPS and antimalware protection address multiple threat vectors with one service. This is a convenient alternative to purchasing and maintaining separate IPS products from legacy vendors.

  • Comprehensive command-and-control protection
    After initial infection, attackers communicate with the host machine through a covert C2 channel. The C2 channel is used to pull down additional malware, issue further instructions, and steal data.

    With the increasing use of tool sets like Cobalt Strike and encrypted or obfuscated traffic, it is easier for attackers to create completely customizable command-and-control channels. These channels cannot be stopped with traditional signature-based approaches.

    Therefore, it is essential that IPS solutions include capabilities to block and prevent unknown C2 inline. IPS solutions should also detect and stop outbound C2 communications from systems that may have been compromised by:
    • Known malware families
    • Web shells
    • Remote access Trojans

  • Automated security actions
    Security operations teams should be able to quickly act, quarantine, and effect policy to control potential infections. This includes stronger security policies and controls, such as automatic multi-factor authentication.

  • Broad visibility and granular control
    Incident response teams benefit from being able to immediately determine which systems are under attack and which users are potentially infected. This is far more efficient than guessing based on IP addresses. Giving policy control over applications and users to IT and security staff vastly simplifies network security policy creation and management.

  • Consistent, simplified policy management
    For comprehensive protection, modern distributed networks need consistent policies across the:
    • Corporate perimeter
    • Data center
    • Public and private clouds
    • SaaS applications
    • Remote users.

  • Automated threat intelligence
    Generating and consuming high-quality threat intelligence is important, but automatically turning that intelligence into protection is a necessity. Modern IPS must be able to automatically take advantage of threat intelligence to keep up with the speed of attacks.

Deep Learning for Evasive Threat Detection

To protect against the increase of sophisticated and evasive threats, intrusion prevention systems should deploy inline deep learning. Inline deep learning significantly enhances detections and accurately identifies never-before-seen malicious traffic without relying on signatures.

Deep-learning models go through several layers of analysis and process millions of data points in milliseconds. These sophisticated pattern recognition systems analyze network traffic activity with unparalleled accuracy. Such systems can also identifying unknown malicious traffic inline with few false positives. This additional layer of intelligent protection provides further protection of sensitive information and prevents attacks that can paralyze an organization.

To learn more about how IPS solutions work within a security infrastructure, check out this paper: Palo Alto Networks Approach to Intrusion Prevention.

Intrusion Prevention System FAQs

Q: What are two main types of intrusion prevention systems?

A: Intrusion Prevention Systems have several ways of detecting malicious activity but the two major methods used most commonly utilized are as follows: signature-based detection and statistical anomaly-based detection.

Q: What is the advantage of using an IPS system?

A: With an IPS, you have the benefit of identifying malicious activity, recording and reporting detected threats, and taking preventative action to stop a threat from doing serious damage.

Q: Do I need a Firewall with an IPS?

A: Yes. IPSs are necessary in part because they close the security holes that a firewall leaves unplugged. An instruction prevention system is designed to detect and deny access to malicious offenders before they can harm the system. An IPS is an integral part of next-generation firewalls that provide a much needed additional layer of security.