An intrusion prevention system (IPS) consists of a set of predefined actions that aim to proactively and effectively block suspicious activities from both external/internal networks and the host itself. IPS has an important advantage over traditional firewall technologies, as it takes access control decisions based on traffic content instead of IP addresses or ports.
Characteristics and types of IPS
- It detects intruders by the checking the identifiers of suspicious activities against the signatures of known malicious activities, which are included in a signature file.
- For protection against intrusions to be effective, an IPS must have a system that keeps the file that contains the identifiers of intrusions constantly up-to-date.
- An intrusion prevention system can consist of software, hardware or a combination of the two.
- There are different types of IPS, depending on their location:
- Network IPS:
- These aim to protect the network segments or zones which they can access.
- They capture network traffic (sniffers) and analyze them for patterns that could be some type of attack.
- If they are correctly installed in the network, they can analyze large networks and generally have a minimum impact on traffic.
- They use a network device configured in promiscuous mode. This means that they can intercept and analyze all the packets in a network segment, even if they are not addressed to a specific computer.
- They usually analyze traffic in real time.
- They not only work at TCP/IP level, but can also operate in the application layer.
- A network IPS can be located in the network segments exposed to external networks (WAN and the Internet) in the zone that hosts the services and public servers (DMZ), or they can simply inspect traffic in the internal network. The optimum solution for detecting intruders from untrustworthy networks is to place the IPS and the firewall in the same device.
- Host IPS:
- These were the first IDS (Intrusion Detection System) developed by the IT security industry.
- They protect a single computer.
- They monitor a large amount of events and activities, accurately determining which processes and users are involved in a certain action.
- They collect system information, such as files, log files and resources to then analyze it locally for possible incidents in the system.