What is an intrusion prevention system?
Adding an intrusion prevention system (IPS) to a firewall is a valuable choice. It combines the monitoring and analysis capabilities of an intrusion detection system (IDS), but what sets it apart is its proactive ability to actively counter and deter threats.
What does IPS mean?
For most users, the firewall is a tried and tested method of protecting their own system or network against attacks from outside. A suitable intrusion prevention system (IPS) is a recommended addition to this protection mechanism. The system works in two steps. First, it performs the tasks of an intrusion detection system (IDS) and monitors either the host, the network, or both to promptly identify unauthorised activities by creating patterns and comparing them with real-time traffic. The second step comes into play when the intrusion prevention system identifies a threat, at which point it can initiate appropriate countermeasures.
The difference between an intrusion detection system and an intrusion preventions system is that the intrusion prevention system only sends a warning to the administrator. The intrusion prevention system, on the other hand, actively intervenes, blocks data packets or interrupts vulnerable connections. Firstly, it is important that the intrusion prevention system is configured appropriately so that all threats are averted without hindering the workflow. Additionally, close collaboration between the IPS and the firewall is crucial for optimal protection. Typically, the intrusion prevention system is positioned directly behind the firewall, using sensors to thoroughly assess system data and network packets.
What types of intrusion prevention systems are there?
There are different types of intrusion prevention systems, primarily differing in their deployment locations.
- Host-based intrusion prevention systems: Host-based IPS (HIPS) are installed directly on individual end devices, where they exclusively monitor incoming and outgoing data. As a result, their active defense capabilities are confined to the specific device they are installed on. HIPS are frequently used in conjunction with broader security methods, with the host-based intrusion prevention system serving as a last line of defense.
- Network-based intrusion prevention systems: Network-based IPS (NIPS) are strategically positioned at multiple locations within a network to scrutinise a large volume of data packets circulating within it. They can be deployed through dedicated devices or within firewalls. This setup allows for comprehensive scanning and protection of all systems connected to the network.
- Wireless intrusion prevention systems : WIPS (Wireless Intrusion Prevention System) are specially designed to work in a WLAN network. In case of unauthorised access, the IPS locates the corresponding device and removes it from the environment.
- Behavioral intrusion prevention systems: Network Behavior Analysis (NBA) is recommended for fighting DDoS attacks. This checks all data traffic and can thus detect and prevent attacks in advance.
How does an intrusion prevention system work?
The role of an intrusion prevention system encompasses two main aspects. Firstly, it must detect, pre-filter, analyse, and report potential threats, essentially akin to an intrusion detection system. Furthermore, the intrusion prevention system takes proactive measures in response to a threat, instigating its own prevention measures. In both scenarios, the IPS has a range of methods at its disposal.
IPS analysis methods
- Anomaly Detection: Anomaly detection involves comparing network or end-device behaviour to a predefined standard. Significant deviations from this standard prompt the intrusion prevention system to take appropriate countermeasures. However, depending on the configuration, this method can also result in frequent false alarms. For this reason, too, modern systems are increasingly relying on AI to significantly reduce error rates.
- Misuse Detection: In this method, data packets are scrutinised for known forms of attacks. This type of intrusion prevention system demonstrates strong detection rates for established threats, identifying them with a high degree of certainty. However, it is less effective against novel, previously unidentified attacks.
- Policy-based IPS: The policy-based intrusion prevention system is less commonly employed compared to the two methods previously discussed. To implement this approach, unique and specific security policies must be configured first. These policies serve as the foundation for monitoring the corresponding system.
IPS defense mechanisms
The intrusion prevention system operates in real-time without impeding the data flow. When a threat is detected through the monitoring methods described earlier, the IPS offers several response options. In less critical situations, similar to an IDS, it sends a notification to the administrator for further action. However, in more severe cases, the intrusion prevention system takes autonomous action. It can disrupt and reset transmission paths, block sources or destinations, or even discard data packets completely.
What are the advantages of an intrusion prevention system?
The strategic deployment of an intrusion prevention system offers numerous benefits for users. Most notably, it enhances overall security by detecting risks that might go unnoticed by other tools. Through pre-filtering, the intrusion prevention system also alleviates the burden on other security mechanisms, safeguarding the entire infrastructure. Configuration options enable precise customisation of the IPS to meet specific requirements. With successful configuration, the system operates autonomously, thereby providing a significant time-saving advantage.
What are the disadvantages of an intrusion prevention system?
Used correctly, an intrusion prevention system enhances network security substantially. However, there are also some potential drawbacks associated with this approach. In addition to the previously mentioned limitations of anomaly and misuse detection, there’s a notable concern regarding hardware requirements. Intrusion prevention systems typically demand significant resources, which increase in tandem with the network’s size. Therefore, their real value is realised when their capacities align with the network’s demands. Moreover, configuration can be challenging, particularly for non-experts. Suboptimal configurations may lead to network issues.
- Regular virus scans
- Automatic backups and simple file recovery
DenyHosts: The best IPS against brute force
In the war on brute force attacks, DenyHosts is a worthwhile option. The intrusion prevention system was written in Python and is open source. It monitors SSH login attempts and blocks corresponding addresses if they have too many failed attempts. This is the official GitHub respository of DenyHosts.