In short, an Intrusion Prevention System (IPS), also known as intrusion detection prevention system (IDPS), is a technology that keeps an eye on a network for any malicious activities attempting to exploit a known vulnerability.
An Intrusion Prevention System’s main function is to identify any suspicious activity and either detect and allow (IDS) or prevent (IPS) the threat. The attempt is logged and reported to the network managers or Security Operations Center (SOC) staff.
IPS technologies can detect or prevent network security attacks such as brute force attacks, Denial of Service (DoS) attacks and vulnerability exploits. A vulnerability is a weakness in a software system and an exploit is an attack that leverages that vulnerability to gain control of a system. When an exploit is announced, there is often a window of opportunity for attackers to exploit that vulnerability before the security patch is applied. An Intrusion Prevention System can be used in these cases to quickly block these attacks.
Because IPS technologies watch packet flows, they can also be used to enforce the use of secure protocols and deny the use of insecure protocols such as earlier versions of SSL or protocols using weak ciphers.
IPS technologies have access to packets where they are deployed, either as Network intrusion detection systems (NIDS), or as Host intrusion detection systems (HIDS). Network IPS has a larger view of the entire network and can either deployed inline in the network or offline to the network as a passive sensor that receives packets from a network TAP or SPAN port.
The detection method employed may be signature or anomaly-based. Predefined signatures are patterns of well-known network attacks. The IPS compares packet flows with the signature to see if there is a pattern match. Anomaly-based intrusion detection systems uses heuristics to identify threats, for instance comparing a sample of traffic against a known baseline.
Early implementations of the technology were deployed in detect mode on dedicated security appliances. As the technology has matured and moved into integrated Next Generation Firewall or UTM devices, the default action is set to prevent the malicious traffic.
In some cases, the decision to detect and accept or prevent the traffic is based upon confidence in the specific IPS protection. When there is lower confidence in an IPS protection, then there is a higher likelihood of false positives. A false positive is when the IDS identifies an activity as an attack but the activity is acceptable behavior. For this reason, many IPS technologies also have the ability to capture packet sequences from the attack event. These can then be analyzed to determine if there was an actual threat and to further improve the IPS protection.