An Intrusion Prevention System (IPS) is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. It is an in-line device that scans traffic and, based on a set of rules, determines whether data packets are legitimate or malicious. An IPS is based upon an Intrusion Detection System (IDS), with the added component of taking real time action to prevent an intrusion once detected by the IDS.

In case you are unfamiliar with IDSs, refer to my posts here:
http://www.bestinternetsecurity.net/19/
http://www.bestinternetsecurity.net/18/

IPS System

The term “Intrusion Prevention System” was coined by Andrew Plato, who was a technical writer and consultant for NetworkICE.1 While these systems were originally an extension of Intrusion Detection Systems (IDSs), which focus on detection only, today’s IPSs are designed to stop attacks and intrusions in real time, protecting valuable assets.

Attacks

An IPS won’t protect you against password attacks or Trojan horse attacks, such as screen capturing and keyloggers, etc. However, there are still many reasons you might want to use an IPS. Among these are extra protection from denial-of-service attacks and protection from many critical exposures found in software such as Microsoft Windows. An IPS device must utilize “Stateful Inspection” (a firewall technology) to perform advanced protection against new types of attacks, as well as defend against the growing frequency and scale of Distributed Denial of Service (DDoS) attacks.  The IPS prevents a large amount of downtime that would occur if nonexistent, by stopping any damage that may have made its way to the databases from internal or even external attacks. The most significant advantage offered by inline IPS technologies is that attacks are detected as they occur.

IPS And Firewall

While some IPS products have the ability to implement firewall rules, this not a core function of the product. Also, some application layer firewalls have integrated IPS-style signatures into their products to provide real-time analysis and blocking of traffic. Other closely related terms include “Unified Threat Management” (UTM), sometimes called “Next Generation Firewalls.”

Commercial IPS Products

There are just a few examples of IPS systems on the market today:

Check Point IPS-1 is a hybrid IDS/IPS solution with management features that include the company’s Dynamic Shielding Architecture for vulnerability alerts and Confidence Indexing.

McAfee IntruShield is a purpose-built intrusion detection/prevention appliance performing up to 10 Gbps packet analysis, which will continue to be enhanced through the company’s risk management strategy including NAC integration. The company recently announced the availability of a Windows VMWare version of Strata Guard Free, a freeware version of its intrusion prevention system.

3Com’s TippingPoint IPS System provides Application Protection, Performance Protection, and Infrastructure Protection at gigabit speeds through total packet inspection.

IPS Technologies

A considerable improvement over firewall technologies, IPS can make access control decisions based on application content rather than IP addresses or ports, as traditional firewalls do. But that also implies that IPSs are slower in performance.

An IPS must also be a very effective Intrusion Detection System in order to enable a low rate of false positives. Just like IDSs, when deploying network-based IPSs (NIPSs), consideration should be given to whether the network segment is encrypted, since not as many products are able to support inspection of such traffic.

According to some news sources regarding a new breed of IPS – the “Distributed IPS” – an IPS’s automatic responses can range from throttling inappropriate traffic and/or blocking individual user/device access, assigning packets to a quarantine VLAN, or turning off the port.2

Customization and Performance Issues

The design and configuration of an IPS is a major part in the effective use of the hardware and software available on the market today. Therefore, I’ll address some key issues for an efficient IPS.

If the IPS fails the flow of packets stops and the network becomes unavailable, this is something which should not be allowed to occur. The solution is to make sure that the product selected is able to maintain signatures, and also provides a well built interface that is easy to understand and navigate. Network administrators should be able to minimize false positives and false negatives by thoroughly training the IPS, taking care to not only train during the initial installation phase, but also continuing to train the system as it is online.

As time goes by, faster IPSs will be created. In fact, most IPSs available today can handle up to a gigabit of traffic. Network administrators should be aware of the bandwidth capabilities of each IPS and be sure to choose one suitable for their level of network traffic.

1http://www.safensoft.com/security.phtml?c=587
2http://www.enterasys.com/company/press-release-item.aspx?id=748

Tags: DOS, Denial of Service Attack, Distributed Denial of Service Attack, false negative