In short, an Intrusion Prevention System (IPS), also known as intrusion detection prevention systems (IDPS), is a system that keeps an eye on a network for any malicious activities or incidents such as security threats or policy violations that may occur on such a network.
An IPS can be either installed as a hardware appliance or software.
How Do Intrusion Prevention Systems Work?
It may be best to compare an IPS to a firewall, where in the case of a typical enterprise level firewall they could be a number of rules, maybe a hundred or even a thousand. Most of those rules are “pass” rules, meaning they allow the network traffic to pass through.
Thus, the firewall gets a packet off the wire and starts through its rules, looking for a rule that says “allow this packet through.” If it gets to the end of the list and there’s no rule saying “allow this packet through,” then there’s a final “deny” rule: “drop everything else.” Thus, in the absence of a reason to pass the traffic the firewall drops it.
An IPS works within a similar process to this, but from the reverse point of view. The IPS also has hundreds or even thousands of rules, but instead of them being ‘allow’ rules, they are instead ‘deny’ rules, meaning they will deny all packets unless it has an ‘allow’ rule attached to it.
Where Does an IPS Sit in the Security Architecture?
As an IPS is control technology, it sits in-line between two networks and controls the traffic going through them. This means that the IPS is in the policy side of your security infrastructure as it implements or enforces a particular policy, determined by your company’s requirements, on what traffic is not allowed through.
Why Should Intrusion Prevention Systems Be Used?
The main reason for an IPS to be put in place is to block known, and sometimes even unknown, attacks across a network. When an exploit is announced, there is often a window of opportunity to patch your systems to protect your network from such exploits. An IPS can be used in these cases to quickly block these attacks.
What’s the Difference Between IDS and IPS?
Whereas an IDS is primarily a visibility tool that detects but does not necessarily react to network traffic, an IPS is takes a much more proactive approach to detecting and preventing malicious activities within a network. An IDS will take a deep look into a network to see what is happening from a security point of view.
Although an IPS and IDS are not the same, the technology that each harnesses however is fairly similar. With that said though, it is important to keep in mind and understand that the two systems are very different and will produce very different results for the network manager. For starters they fit into the network in very different places, have different functions and as mentioned above, solve different problems.