An intrusion prevention system (IPS) is a network security tool (which can be a hardware device or software) that continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur.
It is more advanced than an intrusion detection system (IDS), which simply detects malicious activity but cannot take action against it beyond alerting an administrator. Intrusion prevention systems are sometimes included as part of a next-generation firewall (NGFW) or unified threat management (UTM) solution. Like many network security technologies, they must be powerful enough to scan a high volume of traffic without slowing down network performance.
An intrusion prevention system is placed inline, in the flow of network traffic between the source and destination, and usually sits just behind the firewall. There are several techniques that intrusion prevention systems use to identify threats:
Once the IPS detects malicious activity, it can take many automated actions, including alerting administrators, dropping the packets, blocking traffic from the source address, or resetting the connection. Some intrusion prevention systems also use a “honeypot,” or decoy high-value data, to attract attackers and stop them from reaching their targets.
There are several types of IPS, each with a slightly different purpose:
An intrusion prevention system offers many benefits:
There are several reasons why an IPS is a key part of any enterprise security system. A modern network has many access points and deals with a high volume of traffic, making manual monitoring and response an unrealistic option. (This is particularly true when it comes to cloud security, where a highly connected environment can mean an expanded attack surface and thus greater vulnerability to threats.) In addition, the threats that enterprise security systems face are growing ever more numerous and sophisticated. The automated capabilities of an IPS are vital in this situation, allowing an enterprise to respond to threats quickly without placing a strain on IT teams. As part of an enterprise’s security infrastructure, an IPS is a crucial way to help prevent some of the most serious and sophisticated attacks.
It is important to remember that an IPS is only one part of a robust security solution—it needs to work with other technology for maximum effectiveness. In fact, intrusion prevention systems are often offered as one capability of a unified threat management or next-generation firewall solution, although they can also be standalone offerings. In a typical security architecture, the IPS usually sits just behind the firewall and works in tandem with it to provide an extra level of security and catch threats that the firewall can’t catch on its own. An IPS also helps protect other security controls from attack, as well as improving performance for those controls by filtering out malicious traffic before it reaches them. Most importantly, an IPS provides an additional layer of security by identifying and filtering out threats that other parts of the security infrastructure can’t detect.