An intrusion prevention system (IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. IPSec is used to detect and prevent attacks and intrusions, as well as to monitor and enforce compliance with security policies.
IPSec has a unique ability to identify bad traffic that was previously unknown and is not identifiable by a signature-based intrusion detection system or an antivirus. The IPS looks for patterns in the information stream, sometimes augmenting IDS capabilities by adding signatures for emerging vulnerabilities and threats against which IDS systems are not yet protected. While this also increases the number of false positives, it’s more effective than other technologies in blocking new attacks without requiring administrators to upgrade their security devices.
Kinds of Attacks:
Though they can stop any type of attack that an IPS supports, these systems are most commonly thought of as preventing Denial-of-Service (DoS) attacks, Distributed DoS (DDoS) attacks, port scans; and buffer overflows.
When to be Deployed:
Most organizations deploy an IPS at the network perimeter to protect against external threats, though they can also be installed as a host-based application on individual systems (such as servers). Internal threats are more difficult for an IPS to detect and prevent, so companies need to weigh the risk of damage from these attacks against the cost of deploying an IPS before choosing which is most appropriate.
Work of an Intrusion Prevention System :
The first step in intrusion detection is detection, examining packets that enter or exit a system or network looking for ones that appear malformed, unexpected, or otherwise suspicious. If any of these packets are found, then an IPS will analyze the anomaly further to determine whether it is a malicious activity or an incidental/benign occurrence. If determined to be harmful, the IPS can take action right away to prevent damage from the attack by dropping the packet outright, blocking it entirely (which may affect legitimate traffic), resetting the connection without notifying either party involved in initiating or running programs or protocols that require long-lived connections or reliable data transfer over TCP/UDP, blocking only part of the incoming request (such as one bogus component of a URL), performing analysis on suspect files, and sending alerts.
An HTTP Flood Attack:
HTTP Flood attacks are used to quickly send large amounts of traffic to a website that overwhelms web servers and causes them to fail. The attack itself sends a stream of HTTP Get requests in an attempt to connect with the webserver, causing the server to allocate resources such as memory and CPU (which could be used for legitimate tasks) in response.
Thus, it can be helpful to implement an intrusion prevention system that detects suspicious traffic and diverts it away from the main servers and hosts. This prevents increases in both bandwidth consumption and processing time incurred by these attacks and ensures that business objectives and goals (such as completing orders or serving up content) are not disrupted.
Different kinds of Intrusion Prevention Systems:
IDS vs IPS: An intrusion Detection System (IDS) is a device or software application that monitors network activity for malicious activity or policy violations. IPS or Intrusion Prevention System is an added layer of security to the IDS system that takes an active approach against attacks by preventing them before they can cause any damage.
IDS usually detects attacks passively without taking any action to stop them whereas IPS can stop the attack before it causes damage to your network or IT infrastructure. Here are some of the key differences between an IDS and Intrusion Prevention Systems:
Active Vs Passive Approach – The major difference between them is their approach towards detecting suspicious activity on a network or host machine. An IDS has a passive approach, which means it only detects suspicious activity but doesn’t take any further steps to protect against it while can actively block malicious traffic using specific signatures.
Detection – When it comes to detection, an IDS uses signatures while IPS uses heuristics to detect malicious traffic on a network. A signature-based system is one of the most commonly used attacks detection technologies because it can quickly identify known attacks by comparing source and destination packet headers against a database of thousands of attack patterns. This helps in faster identification of potential threats but this kind of detection can be evaded by altering packets slightly before launching an attack making signature-based systems less effective for some kinds of advanced or persistent threats. Heuristic-based systems have emerged as more sophisticated alternatives that use triggers based on suspicious activity found while monitoring traffic flow across a network, such as monitoring incoming data packets for signs they are part of a network scan, for instance.
Response – IDS systems normally report suspected threats while IPS responds to threat alerts by blocking the suspicious traffic coming into or leaving a network. The main purpose of an intrusion prevention system is to stop any malicious activity but it can also report this activity if required by policy. While reporting can be helpful in some situations, an IPS should focus primarily on preventing attacks rather than tracking them.
Throughput/Bandwidth – Intrusion Detection Systems are mainly focused on detecting suspicious activity while an Intrusion Prevention System’s primary goal is to stop threats before they cause any damage and hence its major task is packet filtering which involves high throughput requirements that often conflict with security requirements.
The intrusion prevention system is a device that monitors networks for malicious activity and attempts to stop it. The main difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) is that IPS actively blocks threats, whereas IDS passively detects them. There are also many other differences when comparing these two devices such as their response time, bandwidth requirements, detection methods, etc.