Intrusion Prevention System (IPS)

The development of security strategies for devices and networks has led to the emergence of a new type of protection, IPS (Intrusion Prevention System), which can be viewed as the next step in the evolution of the traditional IDS (Intrusion Detection System).

An intrusion prevention system is a network security device that monitors activities at layer 3 (network) and/or layer 7 (application) of the OSI Model, detects malicious, suspicious, or unauthorized activity, and takes preventative action in real time.

The IPS was created as an addition or alternative to other network security tools, such as a firewall or an IDS, so it inherits many features of these two technologies, as well as offers proactive prevention against attacks and threats.

The advantage of intrusion detection systems over traditional firewalls is that they make access control decisions based on the traffic content rather than the IP addresses or ports.

Unlike the IDS, which is reactive, since it issues a warning when a potential intrusion is detected, the IPS is proactive: it establishes security policies to protect the device or the network from possible attacks.

IPS Classification

IPSs can be classified in different ways: based on the method they use to detect threats and on the technology of their implementation.

Classification based on the detection method:

• Signature-based IPS: This system has a database of “signatures” containing known patterns of attacks on the device or network. The device uses this information to search for matches to detect possible attacks and reacts accordingly.
• Anomaly-based IPS: Also known as profile-based, this system tries to identify behaviors that deviate from what has been predefined as “normal behavior” of a device or network. A powerful statistical analysis of traffic indicators is used to guarantee this.
• Policy-based IPS: Very specific security policies are required. The IPS analyzes the traffic against the established profile and either allows data packets to pass or blocks them, acting in a manner very similar to that of a firewall.
• Honeypot-based IPS: This system uses a computer configured so that it appears vulnerable and prone to attacks at first glance. When such an attack occurs, the attacker’s actions leave evidence which is later used to update security policies.

Classification based on the technology:

• Host-based IPS: This system monitors the characteristics of a particular network host device to detect activities within it. The monitored characteristics include: wired or wireless network traffic, system logs, user access, running processes, and file modifications. The response actions also apply only to the host protected by the system. IPSs of this type are often used to protect servers and devices with service applications that are available 24/7.
• Network-based IPS: This system monitors the traffic flowing through particular segments and analyzes the network, transport, and application protocols to identify suspicious activity. It operates by analyzing traffic data packets (wired or wireless) in real time searching for patterns that could lead to some type of attack. A recommended solution for detecting intrusions originating from untrusted networks is a combination of an IPS and a firewall on the same device.

Operation

The IPS operation is based on a set of very specific instructions allowing each bit of a transmitted data packet to be fully inspected.

The entire data traffic is classified and inspected using all the relevant filters before it is allowed through by analyzing the information contained in each packet’s header, such as source and destination IP addresses and ports, application fields.

Each filter consists of a set of rules defining the conditions that must be met to identify a data packet or flow as malicious. When classifying traffic, the device must assemble the flow payload and insert it into the fields for further contextual analysis.

To prevent an attack from reaching its target, the moment a flow is recognized as malicious, all the subsequent packets of the same flow are blocked.

Multi-flow attacks can also occur, where the intruder tries to compromise the network by flooding it with packets. They require filters that can gather statistics and identify anomalies in several aggregated flows.

The most advanced IPSs are able to process multiple packets in parallel to perform checks simultaneously. Parallel processing is usually implemented at the hardware level as most conventional software solutions reduce the throughput.

In addition, an IPS can incorporate redundancy and failover solutions to ensure that a network continues to operate in case of a failure. It can also control non-mission-critical applications to protect the bandwidth.

New Generation IPS

The networks of today are so dynamic that new technologies, devices, and systems emerge constantly. This increases the exposure to evolving information security threats and demonstrates the need for intelligent mechanisms capable of addressing them, thus promoting the development of a new generation IPS.

A new generation IPS must meet the following criteria:

• Always Online: The network operation should never be interrupted.
• Application Awareness: Ability to identify applications and implement network security policies at the application layer.
• Context Awareness: Decisions on threat detection and addressing them must be based on a complex analysis of circumstances surrounding a specific attack which should automatically prioritize the computer’s specific response to an imminent threat.
• Content Awareness: Ability to inspect and classify the file types contained in data packets.
• Agility: Ability to incorporate new feedback mechanisms to deal with future threats.

These new generation IPSs can offer visibility of the network behavior, profiles of the computers within the communication infrastructure, and the identity of the users and applications they use. This information serves as an input for automatic adjustment.

IPS vs. IDS

Both IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) enhance network security by monitoring traffic, examining and analyzing packets for suspicious data. Both systems mainly detect intrusions based on already known signatures.

The main difference between an IDS and an IPS is the type of action taken when an attack is detected during the initial stages of their operation (network analysis and port scanning):

• An IDS offers some preventive network protection against suspicious activity and achieves its objective by sending early warnings to information system security administrators. However, unlike an IPS, it is not designed to stop attacks.
• An IPS is a device that performs access control in a network to protect computer systems from attacks and violations. It is designed to analyze the attack data and respond accordingly, stopping the attack before it is begun.

Combining both host-based and network-based intrusion prevention and detection systems is crucial for adequate information security. The models described above are not mutually exclusive, on the contrary, they should be used together according to the company’s security needs and criticality.

In addition to their ability to address certain incidents automatically, IPSs are generally able to reduce the rate of false alarms of attacks in progress, block attacks automatically in real time, protect unpatched systems, apply new filters as they detect new malicious activities, and optimize network traffic throughput as a security strategy.