What Is An IPS – An Introductory Guide To Intrusion Prevention Systems

Infographic of a large shield with keyhole at the center superimposed with several binary numbers to represent cybersecurity.
An Intrusion Prevention System (IPS) can detect and prevent DDoS attacks, network reconnaissance, and other cyber attacks.

Not all firms have the time and in-house talent to fend off cyberattacks. For instance, you may not have cybersecurity staff who can analyze logs, identify threats, and perform incident response. If you have such limitations, you can get a security solution to accomplish some of these tasks for you. One solution many businesses employ is an Intrusion Prevention System (IPS). 

In this article, I’ll explain what an IPS is, what it consists of, how it works, what benefits it provides, and more. Let’s start by answering the question: What is an IPS?

What Is an IPS?

An Intrusion Prevention System, or IPS, is a security solution offered as a physical appliance or a software application. Some intrusion prevention systems are part of other security tools like next-generation firewalls (NGFWs). However, you can also get them separately. An IPS’s main purpose is to detect intrusion attempts, log event data, send alerts, and block potential threats.  

When you purchase an IPS solution, you’ll find it has several components. Let’s go over those components one by one. 

Typical IPS Components

Generally, IPS solutions come with multiple components, including management and database servers and a console. Each component performs different functions, which we’ll discuss below.   

IPS Sensor or Agents

An IPS sensor or agent is the part of your IPS you deploy on a network or host. These sensors can monitor network or host activity and carry out intrusion prevention. Sensors are usually associated with tools that monitor wired or wireless networks. Agents, on the other hand, are associated with tools that monitor endpoints or hosts. You may also have to deploy one or more sensors or agents. We’ll talk about deployment later in this article. 

Management Server

An IPS management server is responsible for collecting data from sensors and agents. The management server also can correlate and analyze this data. This analysis enables the IPS to determine, with greater certainty, if a particular event requires preventive action. 

Without proper correlation, an IPS can accidentally impede a perfectly valid process. This will create unnecessary downtime. You’ll find that some IPS solutions have one or more management servers, while others don’t have any at all. 

Database Server

An IPS database server is where you’ll store the event data recorded by your IPS sensors and agents. Depending on how your IPS stores data, you may use an embedded or external database like MySQL Oracle or MS SQL. 

You also can use the logged data for further analysis. For example, your threat analysts can conduct a forensic investigation using those logs in the aftermath of a data breach.  

IPS Console

The IPS console is where you’ll perform administrative or management tasks. Depending on the console’s supported capabilities, you can use it to configure sensors/agents and conduct monitoring and analysis.

The IPS console may help you with intrusion prevention. For instance, you may use it to fine-tune prevention settings. You can also apply software updates using your IPS console. However, this task is only for maintenance purposes

So, how can your IPS detect intrusions? Let’s talk about that.

IPS Detection Methods

IPS detection is usually based on one or more intrusion detection methods. These methods include pattern-based, anomaly-based, and policy-based intrusion detection. You can find more information about these methods in the “What is an IDS?” article. 

Next, I want to show you how an IPS actually works. 

How Does an IPS Work?

An IPS monitors network traffic and then uses intrusion detection methods to detect potential threats. That said, an IPS doesn’t stop at detection. It also automatically blocks perceived threats upon detection. As we discussed earlier, the IPS sensors will be responsible for blocking.  

You must deploy your IPS sensors inline (figure below). Otherwise, it can’t block any threats. Here’s an overview of the processes involved.

  1. Inbound packets originating from the external network arrive at the IPS sensor.
  2. The IPS sensor inspects the packets by applying the IPS detection methods. Alternatively, the IPS sends event data to the management server, which performs the inspection. 
  3. If, after inspection, the IPS detects a threat, it automatically drops the packets in question. It only allows packets it deems safe to pass through. 

Take a look at the diagram below. As you can see, the IPS sensor is facing the external network. You must deploy an IPS sensor this way because it needs to be in the path of incoming traffic to detect and block threats. 

Infographic of a cloud (e.g., internal network) connecting to an IPS that then connects to a switch
An IPS can have an inline connection.

The IPS sensor blocks malicious packets before they reach the internal network behind it. Once you configure the IPS, no intrusion can take place. Yes, the threat may intrude into the zone where the IPS sensor is located, but not the zone behind it. 

In a way, IPS’ auto-blocking feature gives it a significant advantage over an IDS. The diagram above only applies to a network-based IPS (NIPS), which is arguably the most common type of IPS. We’ll talk about other types in detail later. In the meantime, let’s discuss the benefits of using an IPS.

3 Intrusion Prevention System Benefits 

An IPS offers you many of the same benefits as an Intrusion Detection System or IDS. For instance, an IPS lets you detect DDoS attacks and achieve regulatory compliance. That said, because an IPS automatically prevents an intrusion, it comes with a few additional benefits. Let’s talk about 3 of those benefits:

1. Blocks Threats Automatically

Some security solutions, most notably an IDS, only detect and alert you of a potential threat. They can’t prevent that threat from infiltrating your systems. However, detection and alerting aren’t enough. An IPS makes you less susceptible to issues because it automatically blocks perceived threats

2. Reduces Security Staffing Requirements

An IDS can’t be effective if you don’t have security staff who can analyze IDS logs, identify potential threats, and perform incident response. Conversely, IPS can act on its own. This means it can detect and block potential threats automatically. As a result, its staffing requirements aren’t as steep. 

3. Frees up Your Security Team

Assuming you have a dedicated security team, an IPS can free your team members from threat analysis and incident response tasks. That’s because it can do many of the same tasks on its own. Your security team can simply review IPS activity and focus more on other risk mitigation efforts. 

When I was talking about how an IPS works, I only focused on one type of IPS, the network-based IPS. However, IPS come in other types; they differ in deployment and inspection. Let’s talk about that more. 

What Are the Different Types of Intrusion Prevention Systems (IPS)?

IPS mainly comes in 4 types: 

  1. Network-based Intrusion Prevention System (NIPS) 
  2. Wireless Intrusion Prevention System (WIPS) 
  3. Host-based Intrusion Prevention System (HIPS) 
  4. Network Behavior Analysis (NBA) with IPS functionality 

It’s important to distinguish one from the other because they have certain nuances in how they’re deployed and what they inspect. Here’s a brief comparison between the 4 types.

4 Types of Intrusion Prevention Systems

IPS TypeDeploymentWhat It InspectsUse Case
NIPSDeployed inline, along the path of network traffic
Wired network trafficDetect and prevent suspicious activity in your wired network 
Get this IPS first for your wired network
WIPSPlaced in strategic locations in your facility as fixed appliances
Installed on mobile devices (e.g., laptops, phones, or specialized mobile devices)
Built into a wireless
Access Point (AP)
Built into a wireless switch
Wireless network trafficDetect and prevent suspicious activity in your wireless network 
Get WIPS for Bring Your Own Device (BYOD) environments or for any wireless network 
HIPSInstalled on endpoint devices or hosts, like PCs or serversApplication-generated log files, changes to the registry, and system processes Detect suspicious activity at your endpoint devices.
Get this IPS on top of your NIPS to monitor your endpoints and provide additional protection for business-critical hosts 
NBA/IPSDeployed inlineSometimes network packets, but usually network flow information generated by routers and other network devicesMitigate risk for attacks that involve large traffic volumes like DDoS attacks
Check the specific deployment and use cases of the 4 intrusion prevention system types.

Before we end this blog, I’d like to share some IPS tools. I recommend you check them if you’re scouting for an IPS solution for your business.

Top 3 IPS and Security Software

To save you time, I picked 3 tools targeting different market segments. The first is for small and medium-sized businesses, the second is for managed service providers, and the third is for large enterprises. You should probably check out the one that matches your market segment. 

1. KerioControl

KerioControl is a next-generation firewall (NGFW), VPN, and unified threat management (UTM) solution. It also comes with powerful intrusion detection and prevention functionality. I highly recommend this tool for small and medium-sized businesses (SMBs) because of its uncomplicated deployment, installation, and management. 

2. McAfee Network Security Platform

McAfee Network Security Platform is a multitenant-capable IPS solution tailored for managed service providers (MSPs). Each McAfee Network Security Platform appliance can support up to 40 Gbps. This platform lets you give the same services from one solution to multiple tenants. The Network Security Platform is also a good option for MSPs looking to offer on-prem IPS services to SMBs. 

3. Check Point IPS

Check Point IPS is an intrusion prevention system popular in the large enterprise segment. It provides next-generation firewall intrusion prevention capabilities with multi-gigabit speeds. Generally, these features are expensive, so mostly relevant for larger enterprises that can afford them.  

Final Thoughts

To sum up, an intrusion prevention system can be an important part of your cybersecurity strategy. In this article, I showed you how IPS uses its different components to detect and eliminate threats. I also explained the benefits you’ll get after deploying an IPS. For instance, it’ll save you time and reduce your staffing needs.

To get the most out of your IPS, you must choose the right type for your company. You also can select an IPS solution to deploy. This way, you’ll keep your systems safe from all external intrusions.

If you have more questions in mind, feel free to read the FAQ and Resources sections below. 

FAQ

What is the difference between an IDS and an IPS?

An intrusion detection system (IDS) detects intrusions, logs events, and then sends alerts. On the other hand, an intrusion prevention system (IPS) can detect an intrusion attempt and prevent it from succeeding. For more information, check out this IDS vs IPS article. 

What is a DDoS attack?

A Distributed Denial of Service (DDoS) attack is an attack that slows or even shuts down your network. To do this, the attackers overwhelm your network’s resources. This means your users can’t access services anymore. However, many IPS solutions can identify a DDoS attack and block its traffic. 

Is it possible to outsource IPS management and monitoring?

Yes, if you don’t have anyone in your firm to perform these tasks, you can outsource IPS management and monitoring. For instance, you can hire an outsourced security operations center (SOC). SOC staff can manage your IPS tool, and they’ll monitor and analyze log data and alerts for you.    

Will an IPS slow down network traffic?

Yes, it does, just like most security solutions deployed inline. An IPS performs deep-packet inspection, similar to a Next-Generation Firewall (NGFW). As a result, it introduces latency. This will slow down network traffic to some degree. 

Where would you position an IPS relative to a firewall?

Generally, you would position an IPS behind a non-next generation firewall (NGFW) type of firewall. This means inbound traffic must hit the firewall first. As a result, you’ll block most undesirable traffic at the firewall. In turn, your IPS will have fewer packets to inspect. This will also lessen your IPS’ negative impact on network performance.  

Resources

TechGenix: Article on WAN Optimization

Discover WAN optimization for SMBs in this introductory guide.

TechGenix: Article on Session Initiation Protocol (SIP)

Delve into the various elements, features, and processes of the SIP protocol.

TechGenix: Article on IPsec

Acquire a deeper understanding of IPsec.

TechGenix: Article on Remote Network Access

Get acquainted with remote network access in this definitive guide.

TechGenix: Guide on Choosing a Small Business Firewall

Master the art of choosing a small business firewall.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top