What is an Intrusion Prevention System (IPS)?

An intrusion prevention system (IPS) is a form of network security that works to detect and prevent identified threats. Intrusion prevention systems continuously monitor your network, looking for possible malicious incidents and capturing information about them. The IPS reports these events to system administrators and takes preventative action, such as closing access points and configuring firewalls to prevent future attacks. IPS solutions can also be used to identify issues with corporate security policies, deterring employees and network guests from violating the rules these policies contain.

With so many access points present on a typical business network, it is essential that you have a way to monitor for signs of potential violations, incidents and imminent threats. Today's network threats are becoming more and more sophisticated and able to infiltrate even the most robust security solutions.

When looking into IPS solutions, you may also come across intrusion detection systems (IDS). Before we look into how intrusion prevention systems work, let's take a look at the difference between IPS and IDS.

The main difference between IPS and IDS is the action they take when a potential incident has been detected.

• Intrusion prevention systems control the access to an IT network and protect it from abuse and attack. These systems are designed to monitor intrusion data and take the necessary action to prevent an attack from developing.
• Intrusion detection systems are not designed to block attacks and will simply monitor the network and send alerts to systems administrators if a potential threat is detected.

Intrusion prevention systems work by scanning all network traffic. There are a number of different threats that an IPS is designed to prevent, including:

• Denial of Service (DoS) attack
• Distributed Denial of Service (DDoS) attack
• Various types of exploits
• Worms
• Viruses

The IPS performs real-time packet inspection, deeply inspecting every packet that travels across the network. If any malicious or suspicious packets are detected, the IPS will carry out one of the following actions:

• Terminate the TCP session that has been exploited and block the offending source IP address or user account from accessing any application, target hosts or other network resources unethically.
• Reprogram or reconfigure the firewall to prevent a similar attack occurring in the future.
• Remove or replace any malicious content that remains on the network following an attack. This is done by repackaging payloads, removing header information and removing any infected attachments from file or email servers.

An intrusion prevention system is typically configured to use a number of different approaches to protect the network from unauthorised access. These include:

• Signature-Based - The signature-based approach uses predefined signatures of well-known network threats. When an attack is initiated that matches one of these signatures or patterns, the system takes necessary action.
• Anomaly-Based - The anomaly-based approach monitors for any abnormal or unexpected behavior on the network. If an anomaly is detected, the system blocks access to the target host immediately.
• Policy-Based - This approach requires administrators to configure security policies according to organizational security policies and the network infrastructure. When an activity occurs that violates a security policy, an alert is triggered and sent to the system administrators.

IPS solutions offer proactive prevention against some of today's most notorious network exploits. When deployed correctly, an IPS prevents severe damage from being caused by malicious or unwanted packets and brute force attacks.

Next Generation Firewall (NGFW) from ForcePoint provides advanced intrusion prevention and detection for any network, allowing you to respond to threats within minutes, not hours, and protect your most critical data and application assets.