An Intrusion Prevention System (IPS) is a security solution designed to monitor networks and computer systems, which automatically responds to detected threats. Unlike purely passive security systems, an IPS operates actively in real time and can immediately detect and block attacks. An IPS is usually installed inline in the data traffic, i.e. directly in the transmission path between source and destination. This enables the system to analyse suspicious or malicious data traffic and initiate countermeasures immediately.
The key difference from an Intrusion Detection System (IDS) is that an IDS merely detects and reports attacks, whereas an IPS also automatically takes measures to protect the network. An IPS is often used in combination with a firewall to enhance network security. Typical measures taken by an Intrusion Prevention System include blocking malicious traffic, blocking IP addresses or individual data packets, and removing harmful content from network traffic.
Key types of IPS:
- Host-based Intrusion Prevention System (HIPS): Installed directly on an end device or server, it monitors incoming and outgoing data. It can respond to attacks locally and block them.
- Network-based Intrusion Prevention System (NIPS): Monitors all network traffic and checks individual data packets for suspicious activity. It can be used independently or integrated into a firewall and protects all devices on the network.
- Wireless Intrusion Prevention System (WIPS): Monitors wireless networks and detects unauthorised access or suspicious activity. It can terminate connections and, for example, prevent man-in-the-middle attacks.
Detection methods:
- Signature-based detection: Compares network traffic with known attack patterns. This requires signature databases to be updated regularly.
- Anomaly-based detection: Creates a model of normal network behaviour and detects deviations from it. This allows new or unknown attacks to be detected, although there is a higher risk of false alarms.
- Policy-based detection: Based on defined security policies. Violations of these rules are automatically blocked, which allows for customisation but requires a comprehensive set of rules.
