WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
An intrusion prevention system (IPS) plays a key role in security-in-depth strategies at both large and small organizations. While they should not be used alone to protect networks, IPS solutions are critical for preventing, detecting and mitigating attacks.
Because they play a similar role to firewalls and intrusion detection systems (IDS), people sometimes confuse intrusion prevention systems with these other security technologies. However, an IPS has some unique characteristics that set it apart from other security solutions.
What is an intrusion prevention system (IPS)?
An IPS monitors network traffic for signs of a possible attack. When it detects potentially dangerous activity, it takes action to stop the attack. Often this takes the form of dropping malicious packets, blocking network traffic or resetting connections. The IPS also usually sends an alert to security administrators about the potential malicious activity.
Today's IPS solutions generally use two different techniques for identifying when an attack might be taking place. Signature-based detection looks for signs of known exploits. When it finds activity associated with a previously identified attack, it takes action to block the attack. This type of detection is similar to traditional antivirus technology in that it can only stop attacks that have already been identified. The downside is that it cannot identify or prevent new types of attacks that haven't been seen before.
The second technique for identifying attacks is statistical anomaly-based detection. An IDS that uses this technique will compare current network activity to what is normal. When it finds an aberration, it can send an alert or take other preventive measures. The value of this approach is that it can find zero-day attacks, but the drawback is that it can result in false positives. Some newer IPS technology uses artificial intelligence and machine learning algorithms to help establish the baseline of normal activity and reduce the number of false positives. Many solutions incorporate both signature-based detection and anomaly-based detection in order to take advantage of the benefits of both techniques.
Many IPS solutions also incorporate honeypot capabilities. A honeypot looks like valuable corporate data or applications, but its real purpose is to ensnare would-be attackers and prevent them from getting to their true targets.
IPS solutions can be network-based or host-based. Most enterprises install a network-based intrusion prevention system (NIPS) inline behind the firewall. A host-based intrusion prevention system (HIPS) sits on an endpoint, such as a PC, and looks for malicious traffic at the host level. A third category, the wireless intrusion prevention system (WIPS), looks for unauthorized access to Wi-Fi networks.
An NIPS is somewhat similar to a firewall, but there are some differences. A firewall faces outward and blocks all incoming traffic unless it meets the rules that allows it to pass through, while an NIPS looks at traffic that is already on the network and only blocks traffic that meets certain criteria. One of the best metaphors for explaining the differences is to compare them to different types of security guards. A firewall is like the guard at a gate to a facility. The guard checks credentials and only allows guests through if they are on the list or can prove that they have business there. An NIPS is more like the roaming security guard who walks around the building. This guard watches what the guests are doing and only kicks them out if they are doing something suspicious.
Complicating matters, the boundaries between an NIPS and a firewall have become somewhat blurred as most next-generation firewalls have intrusion detection and intrusion prevention capabilities built in. Vendors also sell combined intrusion detection and prevention systems (IDPSes), which have both IPS and intrusion detection capabilities.
Intrusion prevention vs. intrusion detection
Many people confuse intrusion detection systems (IDS) and intrusion prevention systems (IPS). The acronyms are similar, and the IDS is actually the precursor to the IPS. Early IDS systems could only monitor what was happening and send alerts to IT. IPS systems, by contrast, can take action when they detect malicious activity, helping to stop or prevent attacks.
These days some organizations still choose to deploy IDS technology, sometimes in tandem with IPS technology. In these cases, they usually store the IDS log files in a big data repository where they can later be analyzed with security intelligence or machine learning solutions. This can help organizations identify zero-day attacks that might otherwise evade their security measures.
Deploying network intrusion prevention
Organizations have several options when it comes to deploying NIPS systems. Some choose to use standalone NIPS or intrusion detection and prevention systems. Others deploy a unified threat management (UTM) solution that includes IPS capabilities or a next-generation firewall (NGFW) with IPS capabilities. UTM solutions are generally designed for small or medium-sized businesses, while NGFWs are primarily targeted at larger enterprises.
In addition, organizations can choose to deploy a network IPS as hardware, a virtual appliance or through a cloud-based IPS system. The advantage of cloud-based solutions is that they are very easy to use, but some organizations are uncomfortable trusting the cloud. Hardware-based solutions are also fairly easy to deploy, although staff will still need to set up the physical device. Virtual appliances may be a good fit for large, virtualized environments.
Wireless intrusion prevention systems
Organizations that have Wi-Fi networks at their facilities should also consider deploying a wireless intrusion prevention system (WIPS). Similar to an NIPS, a WIPS monitors wireless frequencies looking for unauthorized devices. When it detects a rogue access point, the WIPS can then kick the offending device off the Wi-Fi network.
In order to deploy a WIPS, users will need to set up sensors that can scan for rogue devices that might be accessing the Wi-Fi network. They will also need a server to collect and analyze the sensor data, as well as a console for managing the WIPS.
Popular intrusion prevention systems
Many different vendors offer NIPS solutions, and there are quite a few open source IPS options as well. Some of the best-known are listed below:
Open source IPS systems
- Security Onion
- Untangle NG Firewall
- Endian Firewall Community
Commercial NIPS vendors
The commercial market for IPS solutions is healthy and growing. MarketsandMarkets.com estimates the IPS/IDS market will hit $5 billion by 2019 and is growing at 13% a year. Here are some of the top IPS solutions:
- Cisco Next-Generation Intrusion Prevention System (NGIPS)
- IBM Security Network Intrusion Prevention System (IPS) products
- Trend Micro Next-Generation Intrusion Prevention System – NGIPS
- McAfee Network Security Platform
- Extreme Intrusion Prevention System
- Juniper Sky Advanced Threat Protection
- Fortinet Next Generation Firewall
- Palo Alto Next-Generation Firewall
- WatchGuard Next-Generation Firewall
- Check Point Next Generation Firewall
- SonicWall Next-Generation Firewall
- Sophos SG UTM
- Cisco Adaptive Wireless IPS Software
- WatchGuard Wireless Intrusion Prevention System (WIPS)
- Aruba RFProtect Wireless Intrusion Protection
- Extreme AirDefense
- NETSCOUT AirMagnet Enterprise