2 min read

Network based Intrusion Prevention System: detection mechanisms

Featured Image

Intrusion Prevention System, or IPS as it is commonly referred to as, is undeniably the first level of defense in providing competent network security in real time.  It’s an active, in-line device, capable of provisioning security at all system levels from the operating system, to network data packets. The IPS stops network-based threats before they can impact the business operations of an organization.  Preemptive protection, which is protection that works ahead of a threat, is available by means of a combination of line-speed performance, security intelligence, and a modular protection engine that enables security convergence.    

An IPS system provides policies and rules for network traffic, similar to an Intrusion Detection System (IDS), for alerting system and network administrators to suspicious traffic. However, an IPS allows the administrator to decide what action will be taken upon being alerted.  An IDS’ job is to ‘inform’ of a potential attack, whereas an IPS’ job is to ‘prevent’ the potential attack.  It would be a false statement to say an IPS is an alternative to another layer of network security such as a firewall.  Firewalls work off of a set of rules, while an IPS utilizes signature-based threat detection to shield the network from harm.  In short, firewalls allow, or block traffic, while an IPS inspects the traffic being allowed by a firewall…thus they work hand-in-hand in order to provision a secure network. 

An IPS system will typically use the following detection mechanisms:

  • Signature based threat detection: This detection method is the soul of the IPS, as it holds a massive archive of attack signatures from known exploit and vulnerability patterns. It then uses these to detect any attempt of an intrusion.
  • Anomaly based threat detection: This method utilizes a baseline set by common network traffic conditions. It analyzes current traffic conditions for discrepancies in order to analyze any abnormal or unsafe behaviors.
  • Stateful protocol analysis detection: This type of detection looks out for contrasting protocol states as compared to standard predefined profiles.
  • Passive monitoring: By using this approach, the IPS quietly sits and monitors abnormal or suspicious behavior. An example of this is a higher than normal amount of traffic coming from the same IP address, which it responds to by taking action.

Stay tuned for the second installment of this segment, which will deal with the threats that NIPS deal with. That article will be posted on October 4th.