IPS/IDS

How to prevent intrusions with Intrusion Prevention Systems?

IPS or Intrusion Prevention System is a perimeter security solution, like a firewall for instance. Network perimeter is a boundary between an organizational local network and the rest of the world. Usually that’s a connection to Internet Provider, national network, another company or something like that. Often there are at least two connections, for redundancy.

A perimeter solutions ‘sits’ on the perimeter, where it can monitor and protect all incoming and/or outgoing traffic. Some perimeter solutions watch a specific traffic type like email or web security gateways, others monitor generally all the traffic, like a firewall and IPS.

Sometimes an organizational network is split into multiple networks with single connections between them, and also can have firewalls or IPSs on such points.

A modern IPS as actually a combination of IDS and IPS, where D stands for a detection and P for Prevention. Meaninng IDS were passive solutions that could only alert, but an IPS is an active solution that can block outside attacks and threats in general traffic. IDS and IPS functionalities are a kind of higher level, much advanced or evolved firewall functionalities. So both solutions can also be combined into what we call an Advaneced or Next Generation (NextGen) firewall, or UTM solutions (Unified Threat Management). If split into two, then IPS is closer to inside the network than a firewall, usually just behind it.

IPS detects more complex threats in traffic, that a simple firewall is not able to. Often they are also split because of performance – they are inline with traffic and must perform eaxh of its functions fast so that there is no significant lag in traffic. Combined solutions are more appropriate for small and middle sized companies.

IPS uses multiple tecniques to detect traffic, such as Signature-based detection, statistical anomaly detection, high speed SSL/TLS decryption and inspection, DoS detection, anti-bot defences, stream analysis, protocol anomaly detection etc.

Once IPS detects a threat, it takes automated actions on all traffic flows that enter the network like alarming administrators (that is an IDS function), dropping the malicious packets, blocking traffic from malicious source address, resetting connections etc. Because of this automated actions it is very important for IPS to have an extremly low false positives rate.