An intrusion prevention system is one of the most crucial tools for modern network security. This term refers to both hardware and software, as both can be used as valid parts of an IPS. The entire purpose of an IPS is to detect suspicious activity and act quickly to neutralize the threat. IPS is distinctly different from IDS (Intrusion Detection Systems) because it incorporates automatic responses of various types. This can make a big difference because, in many cases, simple detection and reporting are not enough. By the time anyone receives the warnings and acts upon them, the attacker may have already done their work and left.
Types Of IPS
An IPS can be deployed in a large number of ways. Obviously, it needs to be well-suited for the architecture of the network in question. Before deploying an IPS solution, one of the most important things is to figure out which of these four types will best serve your needs.
- NIPS: Network Intrusion Prevention System: This is the most broad-ranging solution, as it monitors the entire network for suspicious protocol activity.
- WIPS: Wireless Intrusion Prevention System: This is much like a NIPS setup, but with a specific focus on wireless connections.
- NBA: Network Behavior Analysis: This kind of IPS focuses on packet traffic rather than protocol or IP activity. It monitors the flow of data across the network and looks for any known suspicious patterns.
- HIPS: This type of IPS is focused on a particular host, analyzing all traffic and activity pertaining to them.
Obviously, you may find that a combination of these approaches will be your best option. All of these systems basically do the same thing, but they are focused on different targets and locations. Of the four, we would say that NIPS and NBA are probably the most important overall. The other two are much more specific in scope and may not even be needed for some networks.
How Does An Intrusion Prevention System Work?
All IPS systems are meant to fulfill three basic functions: Detect suspicious activity, report it to the system administrators, and take automatic action to hinder or prevent the attack.
Detection Of Suspicious Activity
Let’s begin by talking about the detection aspect. Since cyber-attacks can target any particular part of the network, a lot of different detection methods might be used. One of the most common is signature-based detection, which is also commonly used for antivirus software and the like. All software (including malware) has identifying signatures which are generally attached to executable files and scripts. They are used to verify the identity of that software. By constantly scanning for known malware signatures, IPS software can identify known threats before they are successful.
Some others use statistical anomalies to detect problems. To put it simply, they look for anything out of the ordinary. This isn’t a bad way to go because every type of cyber attack will cause some sort of network abnormality. If the attack can be detected at that early stage, it can probably be prevented altogether. The only problem with this method is the fact that it gives more false positives. Thus, if you go with this approach, make sure that you are prepared to deal with a few false alarms.
Finally, we have the “stateful protocol” method. This is similar to the anomaly-based approach, but it is far more exact. By establishing a certain “baseline” of normal activity, an IPS can then report anything that falls outside of those normal parameters. Because network activity usually falls into particular patterns, it is at least relatively predictable. Again, you can expect some false alarms here, but that’s alright.
More specific methods of detection include:
- TCP connection monitoring
- Matching of HTTP strings and substrings
- Comparison of addresses to known threats
- Analysis of TCP/UDP ports
- Packet monitoring
Reporting Of Suspicious Activity
Obviously, this part will involve the software sending a notification to all system administrators. However, it doesn’t end there. A good IPS program will also collect information relating to the potential threat and make it available to system admins for review. This will usually include information from various log files, but it won’t be presented in raw form. Instead, the program will produce a report that compiles all the relevant information gathered. These reports are generally much easier to read and understand than raw data from the logs.
Taking Action Against The Threat
Of course, there is no substitute for a qualified human administrator taking action against the threat. However, it might take some time for such a person to respond. In the meantime, an IPS needs to take some action to hinder the attacker (if one is present) and prevent their activities as much as possible.
For a start, these programs can block any network component that raises alarms. This includes IP addresses, MAC addresses (hardware identifiers), or network packets. An IPS has the option to “drop” a suspicious packet so that it never reaches its intended destination. Because some cyber-attacks require an uninterrupted connection, many breaches can also be prevented by resetting the network or automatically kicking users after an excessive amount of time.
The IPS might also make changes to the environment itself. This can include changing settings, adjusting firewall rules, disabling compromised resources, or altering the content of emails. Those that are believed to be phishing attempts can be marked as such, keeping any vigilant person from clicking on the booby-trapped links. All of these quick-action solutions can do a lot to stop a cyber-attack from succeeding.
The structure of a well-made IPS is intended to cover all the bases. When used in combination with other security measures, such a system can do a lot to increase your overall security. Although no detection method is foolproof, IPS software is an incredibly useful tool. If you would like to know more, you can call PCH Technologies at (856) 754-7500.