IPS

What Is IPS?

An Intrusion Prevention System (IPS), also referred to as an Intrusion Detection and Prevention System, serves as a vital network security application tasked with monitoring network or system activities to detect and prevent malicious behavior. Key functions of an IPS include identifying potentially harmful activity, gathering information about such activity, reporting findings, and taking action to block or thwart the detected threats.

Considered an evolution of Intrusion Detection Systems (IDS), IPS and IDS alike analyze network traffic and system events for signs of malicious behavior. IPS typically records pertinent information regarding observed events, alerts security administrators to significant findings, and generates comprehensive reports. Furthermore, many IPS solutions are equipped to respond to identified threats by actively intervening to prevent their success. These response mechanisms may involve the IPS directly halting the attack, altering the security environment, or modifying the content of the attack itself.

The Necessity of Intrusion Prevention Systems

Intrusion encompasses a range of actions that compromise the reliability or availability of an information system, including unauthorized access, theft, and damage to system resources. Common intrusion techniques involve Trojan horses, worms, injection attacks, botnets, DDoS attacks, cross-site scripting (XSS), and brute force attacks. Recently, there has been a surge in grayware such as spyware and adware. Intrusions are increasingly driven by financial motives and employ sophisticated, multifaceted penetration tactics. According to the 2020 Cybersecurity Report by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), over 42 million malicious program samples were captured in 2020, with more than 50 million IP addresses attacked by these programs.

Typical enterprise intrusions include:

• Injection Attacks: These attacks can grant attackers permission to modify server databases, leading to data breaches or corruption.

• Trojan Horse Propagation: Attackers exploit system software vulnerabilities to spread Trojan horse malware within enterprises.

• DDoS Attacks: Large-scale Distributed Denial of Service (DDoS) attacks can consume network resources maliciously, disrupting normal enterprise services.

• Malicious Code Implantation: Attackers plant malicious code on frequently accessed external websites. When employees visit these sites, attackers can steal information like account details and cookies, and impersonate employee actions.

• Phishing Emails: Phishing emails lure employees into clicking on fake website links or downloading infected attachments, leading to information breaches, malware infections, and severe consequences such as direct economic losses.

One significant factor contributing to successful intrusions is the presence of security vulnerabilities in various systems. These vulnerabilities include flaws in hardware, software, protocol implementations, or system security policies that attackers exploit to gain unauthorized access or cause damage. Historical vulnerabilities like Heartbleed and EternalBlue have resulted in significant security breaches.

While system vendors may identify and release patches or updates to address these vulnerabilities, there is often a time lag between the identification of a vulnerability and the deployment of an update. During this period, systems remain vulnerable to attacks. An IPS plays a crucial role in bridging this gap by detecting and defending against attacks that exploit these vulnerabilities. It provides essential security protection capabilities before the vendor's updates are implemented.

Classification of Intrusion Prevention System

Intrusion Prevention Systems are categorized into four primary types based on their monitoring scope and method of operation:

Network-Based Intrusion Prevention System (NIPS)

• Function: Monitors the entire network for suspicious activities.

• Operation: Analyzes protocol activity to detect and prevent malicious traffic across the network.

Wireless Intrusion Prevention System (WIPS)

• Function: Focuses on securing wireless networks.

• Operation: Analyzes wireless networking protocols to identify and block suspicious traffic on wireless networks.

Network Behavior Analysis (NBA)

• Function: Identifies unusual traffic patterns that may indicate potential threats.

• Operation: Examines network traffic flows to detect anomalies such as distributed denial of service (DDoS) attacks, specific types of malware, and policy violations.

Host-Based Intrusion Prevention System (HIPS)

• Function: Secures individual hosts or endpoints by monitoring and analyzing their activities.

• Operation: Inspects system calls, application logs, file system modifications, and other host-level activities to detect and prevent malicious behavior.

Each type of IPS provides a different layer of security, working together to offer comprehensive protection against various forms of cyber threats.

Understanding the Operation of Intrusion Prevention Systems

Intrusion Prevention Systems (IPS) protect against various malicious behaviors using several detection methods:

• Signature-Based Detection: This approach involves matching network traffic against predefined signatures that characterize known threats. If the traffic aligns with a signature, it is flagged as malicious. However, this method is limited to detecting intrusions that already have signatures and cannot identify new, unknown threats.

• Anomaly-Based Detection: This method involves collecting random samples of network activities and comparing them to established baseline standards to identify potential intrusions. While this technology has a broader detection range than signature-based detection, it also has a higher risk of false positives due to normal variations in network behavior being flagged as suspicious.

• Security Policy-Based Detection: Less commonly used than the other two methods, this approach requires network administrators to set security policies on the device. Any access attempt that violates these policies is blocked.

Once an intrusion is detected, the IPS can respond automatically based on configured actions, such as generating an alarm, discarding malicious data packets, blocking traffic from the source address, or resetting the connection.

Advantages of Using an Intrusion Prevention System

• Enhanced Security: IPSs complement other security solutions by identifying threats that might go unnoticed by them, especially those detected through anomaly-based methods. They provide superior application security due to their high application awareness.

• Improved Efficiency of Other Security Measures: By filtering out malicious traffic before it reaches other security devices, an IPS reduces the workload on these systems, allowing them to operate more efficiently.

• Time Savings: IPSs are highly automated, which means they require less time and effort from IT teams, freeing them up for other tasks.

• Regulatory Compliance: An IPS helps meet compliance requirements from standards such as PCI DSS and HIPAA. It also generates valuable auditing data for compliance reporting.

• Customization: IPSs can be configured with custom security policies tailored to the specific needs of the enterprise, providing targeted and effective security controls.