What is an Intrusion Prevention System? Definition and Types | Fortinet

Intrusion Prevention System Definition

What is an Intrustion Prevention System? An essential part of Intrusion Prevention System is the network security technology that constantly monitors network traffic to identify threats. Under the general meaning of IPS, IPS technology is also an intrusion detection prevention system (IDPS).

IPS as an Adaptable Safeguard Technology for System Security

Organizations choose IPS technologies over traditional reactive network security efforts because IPS proactively detects and prevents harm from malicious traffic. IPS protection identifies potential threats by monitoring network traffic in real time by using network behavior analysis.

If an unauthorized attacker gains network access, the IPS identifies the suspicious activity, records the IP address, and launches an automated response to the threat based on rules set up in advance by the network administrator.

IPS includes anti-virus/anti-malware software, firewall, anti-spoofing software, and network traffic monitoring. Enterprises use IPS to document threats, uncover problems with security policies, and block external or insider security violations.

How Intrusion Prevention Systems (IPS) Work?

An IPS security service is typically deployed “in-line” where they sit in the direct communication path between the source and the destination, where it can analyze in real-time all the network traffic flow along that path and take automated preventive action. The IPS can be deployed anywhere in the network but their most common deployments locations are:

Enterprise Edge, Perimeter
Enterprise Data Center

An IPS can be deployed as a standalone IPS or the same capability can be turned on in the consolidated IPS function inside a next-generation firewall (NGFW). An IPS uses signatures which can be both vulnerability or exploit specific to identify malicious traffic. Typically, these employ signature-based detection or statistical anomaly-based detection to identify malicious activity.

Signature-based Detection: It uses uniquely identifiable signatures that are located in exploit code. When exploits are discovered, their signatures go into an increasingly expanding database. Signature-based detection for IPS involves either exploit-facing signatures, which identify the individual exploits themselves, or vulnerability-facing signatures, which identify the vulnerability in the system being targeted for attack. Vulnerability-facing signatures are important for identifying potential exploit variants that haven’t been previously observed, but they also increase the risk of false positive results (benign packets mislabeled as threats).
Statistical Anomaly-based Detection: This randomly samples network traffic and compares samples to performance level baselines. When samples are identified as being outside the baseline, the IPS triggers an action to prevent a potential attack.

Once the IPS identifies the malicious traffic that can be network exploitable it deploys what is known as a virtual patch for protection. Virtual patch, acts as a safety measure against threats that exploit known and unknown vulnerabilities. It works by implementing layers of security policies and rules that prevent and intercept an exploit from taking network paths to and from a vulnerability, thereby offering coverage against that vulnerability at the network level rather than the host level.