An intrusion prevention system (IPS) monitors network traffic for potential threats and automatically takes action to block them by alerting the security team, terminating dangerous connections, removing malicious content, or triggering other security devices.
IPS solutions evolved from intrusion detection systems (IDSs), which detect and report threats to the security team. An IPS has the same threat detection and reporting functions as an IDS plus automated threat prevention abilities, which is why IPSs are sometimes called "intrusion detection and prevention systems" (IDPS).
Because an IPS can directly block malicious traffic, it can lighten workloads for security teams and security operations centers (SOCs), allowing them to focus on more complex threats. IPSs can help enforce network security policies by blocking unauthorized actions from legitimate users, and they can support compliance efforts. For example, an IPS would fulfill the Payment Card Industry Data Security Standard (PCI-DSS) requirement for intrusion detection measures.
IPSs use three primary threat detection methods, exclusively or in combination, to analyze traffic.
Signature-based detection methods analyze network packets for attack signatures—unique characteristics or behaviors associated with a specific threat. A sequence of code that appears in a particular malware variant is an example of an attack signature.
A signature-based IPS maintains a database of attack signatures against which it compares network packets. If a packet triggers a match to one of the signatures, the IPS takes action. Signature databases must be regularly updated with new threat intelligence as new cyberattacks emerge and existing attacks evolve. However, brand-new attacks that have not yet been analyzed for signatures can evade a signature-based IPS.
Anomaly-based detection methods use artificial intelligence and machine learning to create and continually refine a baseline model of normal network activity. The IPS compares ongoing network activity to the model and springs into action when it finds deviations, like a process using more bandwidth than typical or a device opening a port that's usually closed.
Because anomaly-based IPSs respond to any abnormal behavior, they can often block brand-new cyberattacks that might evade signature-based detection. They may even catch zero-day exploits—attacks that take advantage of software vulnerabilities before the software developer knows about them or has time to patch them.
However, anomaly-based IPSs may be more prone to false positives. Even benign activity, such as an authorized user accessing a sensitive network resource for the first time, can trigger an anomaly-based IPS. As a result, authorized users could be booted from the network or have their IP addresses blocked.
Policy-based detection methods are based on security policies set by the security team. Whenever a policy-based IPS detects an action that violates a security policy, it blocks the attempt.
For example, a SOC might set access control policies dictating which users and devices can access a host. If an unauthorized user tries connecting to the host, a policy-based IPS will stop them.
While policy-based IPSs offer customization, they can require a significant upfront investment. The security team must create a comprehensive set of policies outlining what is and isn't allowed throughout the network.
While most IPSs use the threat detection methods outlined above, some use less common techniques.
Reputation-based detection flags and blocks traffic from IP addresses and domains associated with malicious or suspicious activity. Stateful protocol analysis focuses on protocol behavior—for example, it might identify a distributed denial-of-service (DDoS) attack by detecting a single IP address making many simultaneous TCP connection requests in a short period.
When an IPS detects a threat, it logs the event and reports it to the SOC, often through a security information and event management (SIEM) tool (see "IPS and other security solutions" below).
But the IPS doesn't stop there. It automatically takes action against the threat, using techniques such as:
An IPS may end a user's session, block a specific IP address, or even block all traffic to a target. Some IPSs can redirect traffic to a honeypot, a decoy asset that makes the hackers think they've succeeded when, really, the SOC is watching them.
An IPS may allow traffic to continue but scrub the dangerous parts, such as by dropping malicious packets from a stream or removing a malicious attachment from an email.
An IPS may prompt other security devices to act, such as by updating firewall rules to block a threat or changing router settings to prevent hackers from reaching their targets.
Some IPSs can prevent attackers and unauthorized users from doing anything that violates company security policies. For example, if a user tries to transfer sensitive information out of a database it’s not supposed to leave, the IPS would block them.
IPS solutions can be software applications installed on endpoints, dedicated hardware devices connected to the network, or delivered as cloud services. Because IPSs must be able to block malicious activity in real time, they're always placed "inline" on the network, meaning traffic passes directly through the IPS before reaching its destination.
IPSs are categorized based on where they sit in a network and what kind of activity they monitor. Many organizations use multiple types of IPSs in their networks.
A network-based intrusion prevention system (NIPS) monitors inbound and outbound traffic to devices across the network, inspecting individual packets for suspicious activity. NIPS are placed at strategic points in the network. They often sit immediately behind firewalls at the network perimeter so they can stop malicious traffic that breaks through. NIPS may also be placed inside the network to monitor traffic to and from key assets, like critical data centers or devices.
A host-based intrusion prevention system (HIPS) is installed on a specific endpoint, like a laptop or server, and monitors only traffic to and from that device. HIPS are usually used in conjunction with NIPS to add extra security to vital assets. HIPS can also block malicious activity from a compromised network node, like ransomware spreading from an infected device.
Network behavior analysis (NBA) solutions monitor network traffic flows. While NBAs may inspect packets like other IPSs, many NBAs focus on higher-level details of communication sessions, such as source and destination IP addresses, ports used, and the number of packets transmitted.
NBAs use anomaly-based detection methods, flagging and blocking any flows that deviate from the norm, like DDoS attack traffic or a malware-infected device communicating with an unknown command and control server.
A wireless intrusion prevention system (WIPS) monitors wireless network protocols for suspicious activity, like unauthorized users and devices accessing the company's wifi. If a WIPS detects an unknown entity on a wireless network, it can terminate the connection. A WIPS can also help detect misconfigured or unsecured devices on a wifi network and intercept man-in-the-middle attacks, where a hacker secretly spies on users' communications.
While IPSs are available as standalone tools, they're designed to be closely integrated with other security solutions as part of a holistic cybersecurity system.
IPS alerts are often funneled to an organization's SIEM, where they can be combined with alerts and information from other security tools in a single, centralized dashboard. Integrating IPSs with SIEMs enables security teams to enrich IPS alerts with additional threat intelligence, filter out false alarms, and follow up on IPS activity to ensure threats have been successfully blocked. SIEMS can also help SOCs coordinate data from different kinds of IPSs, as many organizations use more than one type.
As mentioned earlier, IPSs evolved from IDSs and have many of the same features. While some organizations may use separate IPS and IDS solutions, most security teams deploy a single integrated solution that offers robust detection, logs, reporting, and automatic threat prevention. Many IPSs enable security teams to shut off prevention functions, allowing them to act as pure IDSs if the organization desires.
IPSs serve as a second line of defense behind firewalls. Firewalls block malicious traffic at the perimeter, and IPSs intercept anything that manages to breach the firewall and get into the network. Some firewalls, especially next-generation firewalls, have built-in IPS functions.
Catch hidden threats lurking in your network, before it’s too late. IBM Security QRadar Network Detection and Response (NDR) helps your security teams by analyzing network activity in real time. It combines depth and breadth of visibility with high-quality data and analytics to fuel actionable insights and response.
Get the security protection your organization needs to improve breach readiness with an incident response retainer subscription from IBM Security. When you engage with our elite team of IR consultants, you have trusted partners on standby to help reduce the time it takes to respond to an incident, minimize its impact and help you recover faster before a cybersecurity incident is suspected.
Stop ransomware from interrupting business continuity, and recover quickly when attacks occur—with a zero trust approach that helps you detect and respond to ransomware faster and minimize the impact of ransomware attacks.
As company networks grow, so does the risk of cyberattack. Learn how network security solutions protect computer systems from internal and external security threats.
SIEM monitors and analyzes security-related events in real-time, and logs and tracks security data for compliance or auditing purposes.
NDR uses artificial intelligence, machine learning and behavioral analytics to detect and response to suspicious network activity.