Definitions: Intrusion-Prevention Systems

Definition

An intrusion-prevention system monitors network traffic and system activities to identify unauthorized or malicious use and prevent further  action. For example, upon detecting a network attack, an intrusion prevention  system (IPS) can drop the offending packets and prevent further communication from the source, while allowing all other traffic to traverse the network.

Business applications

Some organizations are deploying intrusion-prevention  systems in place of or in addition to intrusion-detection systems, which  passively identify unauthorized traffic and are limited in their ability to  react to such traffic. Thus, an IPS may be deployed behind a firewall to ensure that traffic from a public network, such as the  Internet, does not threaten resources on the private network. An IPS also can be  deployed on network segments that host critical systems to prevent unauthorized  traffic from one network segment from accessing critical systems on another  segment.

Deployment concerns

Intrusion-prevention systems sit inline and are prevent  attacks in real time. However, intrusion-prevention systems are more likely  than intrusion-detection systems to block legitimate traffic, and generate false  positives and false negatives (traffic that is not malicious, but is treated that way, and traffic that is malicious but is not recognized as such). Some organizations consider this less of a risk than the possibility of damage  caused by malware or an intrusion, and so accept the additional workload of  analyzing false positives and false negatives.

Additionally, few IPSes can monitor encrypted traffic.

Like all security technologies, an IPS is susceptible to  attack or can be bypassed by savvy intruders. For this reason, an IPS should be  one of several security measures that organizations implement as part of a  defense-in-depth strategy.

Technical details

Like an IDS, an intrusion-prevention system has three  components: an analysis engine, sensors and a console. The sensors gather traffic information and send it to the analysis engine, which compares the traffic information against attack signatures and pre-defined rules. The final  analysis is then sent to the console, which is often a GUI used by the IPS  analyst to analyze the final data. Alerts can also be sent as a page or  notifications on client systems used by the analyst.

There are several types of intrusion-prevention systems, including network intrusion-prevention systems and host-based  intrusion-prevention systems. While a network IPS analyzes network traffic and monitors hosts, a host-based IPS examines application logs, system calls, file-system modifications and other host activities.

Intrusion-detection and intrusion-prevention systems are increasingly being packaged together.