Network Intrusion Prevention System (IPS)

IPS is a solution which is designed to prevent malicious activity within a network using policies and rules for network traffic. IPS, however, cannot function without an IDS (Intrusion detection system) solution.

IDS vs. IPS

Many vendors and providers will attempt to differentiate an IPS system as superior to an IDS solution, or vice versa, where in fact they work hand in hand.

An IDS solution is designed to monitor and detect inappropriate, anomalous activity within a network using certain types of detection tools or sensors. IDS will use tools like NetFlow, NIDS (network intrusion detection systems) and HIDS (host intrusion detection systems) to analyse network and host traffic. In most cases, an IDS solution would be placed between a router, or the core switch and the firewall in order to see a broad spectrum of network traffic. Most IDS would then report back to a SIEM (Security Incident and event management) solution or a SOC (security operation centre) for further action and response.

An IPS solution will use the detected malicious or inappropriate activities from the IDS and will activate automated steps to prevent these activities. The prevented steps include activities like dropping malicious packets or resetting a port or blocking traffic from a malicious IP address based on a set of policies in place.

IPS, in reality, is an extension of a IDS and not a competing solution or tool.

That is why many firewall solutions today have IDS and IPS integrated, which one can turn on and off. Most SIEM or security operation and monitoring solutions have an IDS solution incorporated into their offering too.

Deciding whether to incorporate an IDS or IPS solution into an organisation’s security stack will be entirely based on the goals that the business is trying to achieve.

In some cases, a business may not want an IPS solution for fear of a false positive being identified as a valid attack by the IPS and the solution causing a break in service. E.G, an IPS solution incorrectly seeing a surge of web traffic as a DDOS (Distributed denial of service) attack and blocking a port of a critical web server. Some organisations that have a SOC or a managed security service provider would rather have human eyes reviewing the attacks identified by the IDS and then making decisions on the next appropriate actions to take, based on playbooks and the analyst’s experience.

There are, however, solutions out there that are becoming more intelligent, and can detect and block exploit attempts at both the network and application layers, using signatures and anomaly detection. This improves overall security and reduces false positive rates. They further leverage threat intelligence feeds in order to discover unknown malware by correlating similar traffic being seen worldwide.

New technologies like single pass threat prevention are being developed and perfected to reduce IPS latency and improve compute performance. This is done by performing all analysis in a single integrated scan of a packet, reducing the need for multiple scanning engines.

We at Secure-ISS determine whether an organisation will be best served using an IPS or IDS solution, based on customer requirements, resources available and goals within their security infrastructure, and not vendor preference. This service-driven thinking offers our clients the best outcomes for their security as well as their budget.