Intrusion-prevention systems (IPS) are a new breed of products designed to protect networks from attacks. While a firewall works like a lock on a door or window (nothing can get in or out of that address and/or port), and an intrusion-detection system (IDS) is akin to a closed-circuit video monitor (recording everything and sounding an alarm if it detects an intruder), intrusion-prevention systems are a response to the increasing awareness that attackers need very little time to do their damage and immediate in-line response is often required.
In-line intrusion-prevention systems are unique in that they sit on the network, where they supplement existing firewall and antivirus solutions. An IPS monitors traffic and actively intervenes by dropping packets deemed malicious, scrutinizing suspicious sessions or taking other actions in immediate real-time response to an attack.
An effective intrusion-prevention device sits in-line and inspects all inbound and outbound traffic. It handles all types of packets and performs a range of detection analysis, not only on each individual packet but on traffic patterns, viewing each transaction in the context of others that have come before or will go after. Detection mechanisms can include address matching, HTTP string and substring matching, generic pattern matching, TCP connection analysis, packet anomaly detection, traffic anomaly detection and TCP/UDP port matching.
If an IPS deems a packet harmless, it forwards
An IPS also generally has an extensive reporting mechanism – beyond a simple log of activity. IPSs create alarms and transmit them to appropriate destinations. The IPS can send copies of the actual traffic through a forensic port for immediate analysis and diagnosis by IT personnel. Some can even create an entire, ongoing "flow mirror" copy of the session traffic to send to a mirror port.
Network security managers configure these detection, response and reporting mechanisms according to the needs and the policies of the organization. Setting modes can be heightened from "disable" (no detection, no response, no reporting) to "monitor" (detection and selected reporting mechanisms, but no response) and finally to "mitigate" (detection and selected response and reporting mechanisms) if administrators become confident that the IPS can perform all of these functions without adversely affecting network performance.
An IPS normally works in conjunction with a strong firewall and antivirus approach to provide cyber attack protection for a corporate network. Placing the product in-line improves detection and delivers protection provided the IPS uses methods that go beyond pattern matching. The pattern-matching detection methods of a typical IDS would result in just as many false alarms if used as an IPS – so it is essential that the IPS incorporate new techniques that take advantage of the ability to inspect traffic in-line.
In addition, IPS products should take advantage of their position on the network to implement new detection techniques and offer a variety of intervention methods. IPS products also should provide multiple modes of operation from monitoring to mitigation, so an organization could pick and choose as they become more confident in the product or change their network security policies.
For more information on intrusion-prevention systems, visit these resources:
- News & Analysis: Intrusion prevention – IDS' 800-pound gorilla
- Quick Takes: IPS appliance examines, filters network traffic
- Solution Center: Intrusion detection
This was first published in July 2003