What is an Intrusion Prevention System (IPS)?
An IPS intrusion prevention system is a form of network security that detects and predicts identified threats. It constantly monitors the network to detect possible malicious incidents and acquire information about them. The IPS then reports these events to the system administrator and takes appropriate preventive measures, such as closing access points and configuring firewalls, to prevent future attacks. IPS solutions can also be used to identify problems in corporate security policies, to act as a deterrent and prevent employees and network guests from violating the rules contained in the policies.
Given the large number of access points in a typical corporate network, it is essential to have a method to monitor for signs of possible breaches, incidents and impending threats. Modern threats to networks are increasingly sophisticated and can infiltrate even the most robust security solutions.
How do intrusion prevention systems work?
Intrusion prevention systems work by scanning all network traffic. An IPS is designed to prevent multiple different threats, such as:
Denial-of-service (DoS) attacks
Distributed Denial of Service (DDoS) attacks
Various types of exploits
Worms
Viruses
The IPS performs a thorough real-time inspection of every packet travelling through the network. If malicious or suspicious packets are detected, the IPS performs one of the following actions:
Shuts down the attacked TCP session and blocks the originating IP address or user account preventing unauthorised access to any application, target host or other network resource.
Reprograms or reconfigures the firewall to prevent a similar attack in the future.
Removes or replaces any malicious content that remains in the network after an attack. This is done by repackaging payloads and removing infected header information and attachments from files or mail servers.
Types of prevention
An IPS is usually configured to use various approaches to protect the network from unauthorised access. They include:
Signature-based approach - Uses predefined signatures of well-known network threats. When an attack corresponding to one of these signatures or patterns is initiated, the system takes the necessary action.
Anomaly-based approach - Monitors the network for anomalous or unexpected behaviour. If it identifies an anomaly, the system immediately blocks access to the target host.
Policy-based approach - Requires administrators to configure security policies based on the organisation's network infrastructure and security policies. When activity occurs that violates a security policy, an alert is triggered and sent to system administrators.
There are several threat monitoring tools available online, such as Darktrace: if you are unable to implement one of these solutions yourself, contact your IT consultant or contact our support.