Vulnerability assessment, the use of cyber intelligence feeds, attack surface management and other processes are all used to prevent threats from becoming security breaches. Organizations have also turned to solutions that detect and prevent cyberattacks by monitoring early indicators of attack in network traffic. After all, nearly all types of cyber threats use network communications as part of the attack.

The concept of monitoring network traffic to detect anomalous activity has been around for decades, with intrusion detection systems (IDS) the go-to solution for this purpose. As networks and their threats advanced, so did the need for a solution that can combine detection and threat response. The technology that resulted from this are intrusion prevention systems.

What are intrusion prevention systems (IPS)?

If we go back to the analogy of an IDS being a security system in your house, then IPS would be the security guard who can actively put a halt to incoming threats. While the security system is important in that it can alert the guard of a potential threat, it can’t take any action against it.

An intrusion prevention system (IPS) is a network security solution that continuously monitors the traffic going in and out of an organization’s network. It looks for potentially malicious activity and takes action against any such wrongdoing by alerting, stopping or dropping it from continuing.

Since exploits can be executed rather quickly after a malicious actor gains initial access to a network, intrusion prevention systems carry out an automated response to a suspected threat, based on pre-established rules.

IPS is used as one of the measures in an incident response plan, and in terms of technology, organizations use IPS for identifying insider threats that can result in internal security policy issues or compliance violations. IPS solutions shine the most, though, when it comes to preventing external cyber threats.

Some of the most common network threats IPS is designed to prevent are:

• DDoS attacks
• Computer viruses
• Brute force attacks
• Zero-day exploits
• Buffer overflow attacks
• ARP spoofing.

IPS has become one of the founding blocks of many organizations’ security strategies and infrastructures.

Evolution of IPS

In the early days of IPS technology, few organizations used it due to different concerns. IPS sat in line between an organization’s network and the internet, and because early IPS systems relied on using a signature database against which they would match observed network traffic, the process had the potential to actually slow down network traffic—which certainly isn’t ideal. Additionally, there were concerns over IPS blocking potentially harmless traffic; at that time, IPS would immediately block anomalous traffic whenever it was detected. Organizations would then run the risk of blocking traffic from actual prospects (also not ideal).

The developing advancements in IPS, which led to what is commonly referred to as next-generation IPS, helped bridge these holes in functionality with faster deep-packet inspection, machine learning for detection and sandboxing and/or emulation capabilities.

Today, we commonly see IPS as part of next-generation firewalls (NGFW). This gives IPS more advanced abilities to take action and block malicious traffic and malware, and reconfigure the firewall itself to block future traffic of the same kind.

How does an intrusion prevention system work?

The main goal of intrusion prevention systems is to quickly identify suspicious activity, log relevant information and attempt to block that activity while it reports it to the security team. IPS stands on the perimeter of the network and provides active scanning and real-time traffic analysis to spot malicious activity and known attack patterns, or compares the traffic to see if it falls outside the network’s predefined, accepted behaviour.

IPS detection methods

IPS uses detection methods similar to those employed by IDS. It’s usually configured to use a combination of different approaches for the detection of suspicious behaviour on a network, and for protecting the network from unauthorized access.

IPS detection methods include:

• Signature-based: These methods detect suspicious behaviour by monitoring packets travelling through the network and comparing them against a database of signatures of known vulnerabilities and threats. When it discovers a match to a signature, it uses prevention methods to stop it. For every new threat, a signature must be created, but zero-day exploits and new types of threats can’t be detected.
• Anomaly-based: An anomaly-based detection approach involves monitoring network traffic, and instead of comparing it against known vulnerabilities and threats, uses a pre-established baseline of normal network behaviour. Once it identifies traffic as not falling into the accepted behaviour baseline, it will take action against it. This type of method allows for the detection and prevention of unknown attacks and zero-day vulnerabilities.
• Policy-based: Less commonly used than signature- and anomaly-based approaches, a policy-based approach works with preconfigured policies set up according to an organization’s security policies. The IPS would monitor activity and signal alerts for any behaviour that violates the policies.

IPS prevention methods

If an IPS determines a packet to be malicious, it can drop it or take several different actions. It can terminate the session, blocking the malicious IP from accessing any area of the network; it can also reconfigure the firewall to effectively prevent this kind of an attack from repeating. Some IPS detection mechanisms include packet anomaly detection, address matching, generic pattern matching, port matching, and more.

During the course of the IPS taking action and employing different detection methods, it will typically record information, notify security administrators and create reports.

Types of intrusion prevention systems

Intrusion prevention systems are usually categorized in four distinct types:

Network intrusion prevention systems (NIPS) monitor network behaviour to spot any suspicious traffic. It proactively monitors for threats, most commonly those being used for DDoS attacks.

Host intrusion prevention systems (HIPS) stand on a single endpoint/host, and monitor and analyze all inbound/outbound traffic on it. It is usually an additional piece of software, used in combination with a NIPS.

As we’ve noticed, IPS methods are grouped by their position in the network, and the type of traffic they analyze. A wireless intrusion prevention system (WIPS), for instance, monitors and analyzes network protocol activity across the wireless network, looks for unauthorized traffic, and kicks it off the network upon finding it.

Network behavior analysis (NBA) was designed as an added layer of security to other software (IPS, firewalls, SIEM). NBA works in a different way than other types of IPS, and is based on anomaly-based detection methods. It listens to traffic so it can establish the baseline of trustworthy traffic, then looks for flow anomalies.

Benefits of intrusion prevention systems

Intrusion prevention systems have been around for a long time, and have lived through many iterations and inclusions into other technologies. As something of a standard in any cybersecurity strategy, IPS has many benefits:

• Automating response: IPS methods send alerts and protect the network from detected threats automatically, putting a halt to them without actual investment from the security team. This leaves more time for the team to deal with controls that need their involvement after a threat has been stopped.
• Further security: IPS are often used side-by-side with other security solutions to provide additional threat detection and cover more bases.
• Increasing efficiency: As the first line of defense, the network perimeter is the main boundary between a network and the outside world. IPS is a perimeter security solution, just like a firewall, and monitors all traffic in general, stopping any malicious traffic before it can reach other security controls, allowing them to work more efficiently.
• Privacy: While IPS monitors and analyzes network traffic, it only records network activity for suspicious traffic. It doesn’t store or view the contents, maintaining the privacy of the network’s users.
• Compliance: Regulatory and corporate compliance often has requirements when it comes to technology investment. IPS solutions fulfill many compliance requirements, such as those by HIPAA and PCI DSS, among others. IPS also provides tracking and reports on valuable data that is used for auditing purposes for compliance.
• Enforcing security policies: IPS solutions can help organizations enforce a network’s set internal security policies. Security teams can set up an IPS to provide specific security controls.
• Protection against various threats: As mentioned above, an IPS can protect from a wide range of network threats, depending on the type of the IPS and detection it uses. Generally, IPS protect against brute force attacks, DDoS attacks and most importantly, zero-day threats.

Shortcomings of IPS

While the pros usually compensate for the cons, it’s still important to address the limitations and disadvantages of intrusion prevention systems.

When we talked about the evolution of IPS technology, we mentioned that even in the early 2000s there were concerns over IPS blocking potentially harmless traffic. If an IPS produces a false positive—wrongly recognizes traffic as malicious—it will block that activity on a network, thus potentially blocking an important prospect or any other legitimate user of the network..

Furthermore, if an organization’s network doesn’t have enough bandwidth and capacity, a solution such as an IPS could slow a system down. And employing multiple IPS methods on a network (which is not that rare, considering traffic needs to pass each one to reach the user) can also cause a loss in network performance.

IDS vs. IPS – which is better?

To really understand the IDS vs. IPS debate, we need to review the systems’ similarities and variations, only then we will be able to identify the difference between IDS and IPS. The conundrum evolves just as the two technologies advance—the IDS solution from a couple of years ago can’t compare with today’s, and gets quite close to the abilities IPS possesses.

Intrusion prevention systems were designed to expand on the capabilities of intrusion detection systems. And while both IPS and IDS share the same goal and ability to monitor network traffic, IPS is capable of blocking detected malicious activity. Because there’s a high chance of attack after a network intrusion, IPS can take immediate action and stop malicious traffic, based on pre-established parameters.

Both IPS and IDS send alerts to the security team when they detect suspicious network activity on the network. An IDS sends intrusion alerts in a passive way—by simply monitoring and notifying. An IPS, on the other hand, is an active system that both alerts and protects the network by stopping the threat.

Both systems can also use machine learning to understand attack patterns, recognize threats, and track records of anomalous activity.

Further differences include the actual protection each system provides. An IDS can’t go further than alerting of an intrusion, leaving the human to take action. An IPS automates the process of alerting and taking action so it detects, stops and alerts on its own. This allows the security team to focus on actions where human interaction is necessary.

The two systems draw the line at false positives as well. If an IDS produces a false positive alert, there aren’t any consequences; it’s simply a false positive. On the other hand, an IPS producing a false positive does lead to consequences because it’s programmed to stop any suspicious activity it detects. In such a scenario, an IPS can shut down important, though benign, traffic.

Workarounds to the IDS vs. IPS debate include deploying both solutions or turning to vendors who have already integrated both to provide IDS/IPS solutions that combine their functionalities into a single solution. In this case, IPS will act as a (pro)active network security measure, while the IDS will allow you visibility over traffic in the network.

Conclusion

Questioning whether you should use IDS or IPS is similar to questioning whether reactive or proactive security measures are inherently better. The answer is neither, as both serve specific purposes. The same rings true for IDS and IPS. The best solution is always both, and with the plethora of vendors today offering solutions that combine the capabilities of the two, it’s almost certain that a solution that works with your network and strategy is an easy to find.

SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.