What is an Intrusion Prevention System in information security?

An Intrusion Prevention System is a network security device that monitors network and system activities for malicious or unwanted behavior and can react to block or avoid those activities.

Network-based IPS will work in-line to monitor all network traffic for malicious program or attacks. When an attack is identified, it can drop the offending packets while still enabling all other traffic to pass. Intrusion prevention technology is treated by some to be a development of intrusion detection (IDS) technology.

Intrusion Prevention Systems (IPS) derivative in the late 1990s to resolve ambiguities in passive network monitoring by locating detection systems in-line. Early IPS was IDS that were able to perform prevention commands to firewalls and access control changes to routers. This method fell short operationally for it created a race condition among the IDS and the exploit as it moved through the control mechanism.

Inline IPS can be consider as an improvement upon firewall technologies (snort inline is joined into one), IPS can create access control decisions based on application content, instead of IP address or ports as traditional firewalls had completed.

It can enhance performance and efficiency of classification mapping, most IPS use destination port in their signature structure. As IPS systems were initially a literal extension of intrusion detection systems, they continue to be associated.

Intrusion prevention systems can also serve secondarily at the host level to deny potentially malicious events. There are advantages and disadvantages to host-based IPS correlated with network-based IPS. In some cases, the technologies are to be complementary.

An Intrusion Prevention System should be a good Intrusion Detection System to allow a low cost of false positives. Some IPS systems can also avoid yet to be discovered attacks, including those caused by a Buffer overflow.

The act of an IPS in a network is confused with access control and application-layer firewalls. There are some important differences in these technologies. While all share similarities, how they approach network or system security is essentially different.

An IPS is generally designed to work completely invisibly on a network. IPS products do not generally claim an IP address on the protected network but can respond directly to any traffic in several ways. (Common IPS responses involves dropping packets, resetting connections, making alerts, and even quarantining intruders.) While some IPS products have the ability to perform firewall rules, this is generally a mere convenience and not a core service of the product.

Furthermore, IPS technology provides deeper insight into network operations supporting data on overly active hosts, bad logons, inappropriate content and some other network and application layer functions.

Updated on: 04-Mar-2022


Kickstart Your Career

Get certified by completing the course

Get Started