What is an intrusion prevention system?

An intrusion prevention system is placed inline, in the flow of network traffic between the source and destination, and usually sits just behind the firewall. There are several techniques that intrusion prevention systems use to identify threats:

• Signature-based: This method matches the activity to signatures of well-known threats. One drawback to this method is that it can only stop previously identified attacks and won’t be able to recognize new ones.
  
• Anomaly-based: This method monitors for abnormal behavior by comparing random samples of network activity against a baseline standard. It is more robust than signature-based monitoring, but it can sometimes produce false positives. Some newer and more advanced intrusion prevention systems use artificial intelligence and machine learning technology to support anomaly-based monitoring.
• Policy-based: This method is somewhat less common than signature-based or anomaly-based monitoring. It employs security policies defined by the enterprise and blocks activity that violates those policies. This requires an administrator to set up and configure security policies.

Once the IPS detects malicious activity, it can take many automated actions, including alerting administrators, dropping the packets, blocking traffic from the source address, or resetting the connection. Some intrusion prevention systems also use a “honeypot,” or decoy high-value data, to attract attackers and stop them from reaching their targets.

There are several types of IPS, each with a slightly different purpose:

• Network intrusion prevention system (NIPS): This type of IPS is installed only at strategic points to monitor all network traffic and proactively scan for threats.
• Host intrusion prevention system (HIPS): In contrast to a NIPS, a HIPS is installed on an endpoint (such as a PC) and looks at inbound and outbound traffic from that machine only. It works best in combination with a NIPS, as it serves as a last line of defense for threats that have made it past the NIPS.
• Network behavior analysis (NBA): This analyzes network traffic to detect unusual traffic flows, such as DDoS (Distributed Denial of Service) attacks.  
• Wireless intrusion prevention system (WIPS): This type of IPS simply scans a Wi-Fi network for unauthorized access and kicks unauthorized devices off the network.

There are several reasons why an IPS is a key part of any enterprise security system. A modern network has many access points and deals with a high volume of traffic, making manual monitoring and response an unrealistic option. (This is particularly true when it comes to cloud security, where a highly connected environment can mean an expanded attack surface and thus greater vulnerability to threats.) In addition, the threats that enterprise security systems face are growing ever more numerous and sophisticated. The automated capabilities of an IPS are vital in this situation, allowing an enterprise to respond to threats quickly without placing a strain on IT teams. As part of an enterprise’s security infrastructure, an IPS is a crucial way to help prevent some of the most serious and sophisticated attacks.