Comprehensive network security

An intrusion prevention system, or IPS, is a network security tool that continuously monitors a network for malicious activity and takes action to prevent it, including reporting blocking, or dropping it, when it does occur. Its name may be similar to the previous described topic (intrusion detection systems), however, the previous mechanism focuses on the identification only, not applying any action and, consequently, not preventing an attack to occur.

Moreover, an IPS is a more advanced system then the IDS and is many times included as part of a next-generation firewall or a unified threat management solution. It is also common to see it working together with an IDS server, such as the previous solutions (SNORT and Suricata).

Like other security systems, an IPS can also be found at both software and hardware forms, where the software can be installed in any computer and placed on the network for protection, always taking into consideration the hardware requirements of the machine. Also, like many other network security technologies, an IPS must be powerful enough to able to deal with a big amount of network traffic data, without slowing down the network performance.

An intrusion prevention system is often placed inline, in the flow of the network traffic, between the source and the destination. Like IDSs, the IPS is commonly found between the private and the public networks, so it may analyse and monitor all network communication transactions between the two networks and correctly prevent the private one from attacks and other security intrusions. Tough it is placed in between the two networks, it is usually siting behind the firewall.

On its own, the IPS server is not capable to totally protect the network, being many times working in group with other security tools and solutions, identifying threat that those solutions cannot identify.

Moreover, because an IPS server filters out malicious traffic before it reaches other security devices and controls, it reduces the workload for those controls and allows them to perform more efficiently. Since it is largely automated, the IPS requires less of a time investment from IT teams, fulfilling many of the compliance requirements set forth by PCI DSS, HIPAA, and others. In addition, an IPS also provides valuable auditing data that can be used to further analysis and clue of an intrusion or attack. Such data is important in the way that it may give an entire view of the incident and help on the identification of the source of the intrusion and how to futurity prevent it from happening again.

Like the majority of other security systems and tools, also IPSs are able to be customized and include personalised policies, to answer the specific needs of the organization and the network it is protecting.

Preventing not just intrusions, IPS solutions are also very effective at detecting and preventing vulnerability exploits. When a vulnerability is discovered, there is typically a time frame where threat actors have the opportunity to exploit it, before a security patch is available for its correction. An intrusion prevention system is here used to quickly block these types of attacks and protect the network while the patch is not available.

IPS appliances were originally built and released as stand-alone devices, in the mid-2000s. This functionality, however, has been integrated into unified threat management tools, along with other security tools and services, for small and medium-sized companies, as well as next-generation firewalls at the enterprise level today.

Newer IPS solutions are, nowadays, being connected to cloud-based computing and network services that enable them to provide a more sophisticated approach to protect against ever-increasing cybersecurity threats facing local and global organizations worldwide.

Unlike IDS systems that work in a passive way, only detecting and alerting possible intrusions and threats, the IPS is placed inline, checking all inbound and outbound network traffic, between private and public networks, sitting right behind the firewall or being part of it. This IPS solution is actively analysing and taking automated actions on all traffic flows that enter the network:

 

·      Sending an alarm to the administrator (just like in IDS systems).

·      Dropping the malicious packets.

·      Blocking traffic from the source address.

·      Resetting the connection.

·      Configuring firewalls to prevent future attacks.

 

As an inline security tool, the IPS must work efficiently to avoid degrading network performance and efficiency, where it must be powerful enough to properly security the network, while keeping it normal functions. It must also work in a fast mode because exploits can happen in near real-time and be able to detect and respond accurately, eliminating threats and reducing false positive alarms. To do so, there are several techniques and approaches used to find exploits and protect the network from unauthorized access.