What is an intrusion prevention system (IPS)?

IPS solutions evolved from intrusion detection systems (IDSs), which detect and report threats to the security team. An IPS has the same threat detection and reporting functions as an IDS plus automated threat prevention abilities, hence they are sometimes called "intrusion detection and prevention systems" (IDPS).

Because an IPS can directly block malicious traffic, it can lighten workloads for security teams and security operations centers (SOCs), allowing them to focus on more complex threats. IPSs can help enforce network security policies by blocking unauthorized actions from legitimate users, and they can support compliance efforts. For example, an IPS fulfills the Payment Card Industry Data Security Standard (PCI-DSS) requirement for intrusion detection measures.

IPSs use three primary threat detection methods, exclusively or in combination, to analyze traffic.

Signature-based detection methods analyze network packets for attack signatures—unique characteristics or behaviors that are associated with a specific threat. A sequence of code that appears in a particular malware variant is an example of an attack signature.

A signature-based IPS maintains a database of attack signatures against which it compares network packets. If a packet triggers a match to one of the signatures, the IPS responds. Signature databases must be regularly updated with new threat intelligence as new cyberattacks emerge and existing attacks evolve. However, brand-new attacks that are not yet analyzed for signatures can evade a signature-based IPS.

Anomaly-based detection methods use artificial intelligence and machine learning to create and continually refine a baseline model of normal network activity. The IPS compares ongoing network activity to the model and responds when it finds deviations, like a process that uses more bandwidth than typical or a device that opens a port that's usually closed.

Because anomaly-based IPSs respond to any abnormal behavior, they can often block brand-new cyberattacks that might evade signature-based detection. They can even detect zero-day exploits—attacks that take advantage of software vulnerabilities before the software developer knows about them or has time to patch them.

However, anomaly-based IPSs may be more prone to false positives. Even benign activity, such as an authorized user accessing a sensitive network resource for the first time, can trigger an anomaly-based IPS. As a result, authorized users could be booted from the network or have their IP addresses blocked.

Policy-based detection methods are based on security policies set by the security team. Whenever a policy-based IPS detects an action that violates a security policy, it blocks the attempt.

For example, a SOC might set access control policies dictating which users and devices can access a host. If an unauthorized user tries connecting to the host, a policy-based IPS stops them.

While policy-based IPSs offer customization, they can require a significant upfront investment. The security team must create a comprehensive set of policies outlining what is and isn't allowed throughout the network.

While most IPSs use the threat detection methods outlined above, some use less common techniques.

Reputation-based detection flags and blocks traffic from IP addresses and domains that are associated with malicious or suspicious activity. Stateful protocol analysis focuses on protocol behavior—for example, it might identify a distributed denial-of-service (DDoS) attack by detecting a single IP address making many simultaneous TCP connection requests in a short period.

When an IPS detects a threat, it logs the event and reports it to the SOC, often through a security information and event management (SIEM) tool (see "IPS and other security solutions").

But the IPS doesn't stop there. It automatically takes action against the threat by using techniques such as:

IPS solutions can be software applications installed on endpoints, dedicated hardware devices connected to the network or delivered as cloud services. Because IPSs must be able to block malicious activity in real time, they're always placed "inline" on the network, meaning traffic passes directly through the IPS before reaching its destination.

IPSs are categorized based on where they sit in a network and what kind of activity they monitor. Many organizations use multiple types of IPSs in their networks.

A network-based intrusion prevention system (NIPS) monitors inbound and outbound traffic to devices across the network, inspecting individual packets for suspicious activity. NIPS monitors are placed at strategic points in the network. They often sit immediately behind firewalls at the network perimeter so they can stop malicious traffic breaking through. NIPS's may also be placed inside the network to monitor traffic to and from key assets, like critical data centers or devices.

A host-based intrusion prevention system (HIPS) is installed on a specific endpoint, like a laptop or server, and monitors only traffic to and from that device. HIPS are usually used in conjunction with NIPS to add extra security to vital assets. HIPS can also block malicious activity from a compromised network node, like ransomware spreading from an infected device.

Network behavior analysis (NBA) solutions monitor network traffic flows. NBAs may inspect packets like other IPSs but many NBAs focus on higher-level details of communication sessions, such as source and destination IP addresses, ports used and the number of packets transmitted.

NBAs use anomaly-based detection methods, flagging and blocking any flows that deviate from the norm, like a DDoS attack on traffic or a malware-infected device communicating with an unknown command and control server.

A wireless intrusion prevention system (WIPS) monitors wireless network protocols for suspicious activity, like unauthorized users and devices accessing the company's wifi. If a WIPS detects an unknown entity on a wireless network, it can terminate the connection. A WIPS can also help detect misconfigured or unsecured devices on a wifi network and intercept man-in-the-middle attacks, where a hacker secretly spies on users' communications.

While IPSs are available as standalone tools, they're designed to be closely integrated with other security solutions as part of a holistic cybersecurity system.

IPS alerts are often funneled to an organization's SIEM, where they can be combined with alerts and information from other security tools in a single, centralized dashboard. Integrating IPSs with SIEMs enables security teams to enrich IPS alerts with extra threat intelligence, filter out false alarms and follow up on IPS activity to ensure that threats have been successfully blocked. SIEMS can also help SOCs coordinate data from different kinds of IPSs, as many organizations use more than one type.

As mentioned earlier, IPSs evolved from IDSs and have many of the same features. While some organizations may use separate IPS and IDS solutions, most security teams deploy a single integrated solution that offers robust detection, logs, reporting and automatic threat prevention. Many IPSs enable security teams to shut off prevention functions, allowing them to act as pure IDSs if the organization desires.

IPSs serve as a second line of defense behind firewalls. Firewalls block malicious traffic at the perimeter, and IPSs intercept anything that manages to breach the firewall and get into the network. Some firewalls, especially next-generation firewalls, have built-in IPS functions.