What is an Intrusion Prevention System?

A network is considered vulnerable when its weaknesses are exposed and can be exploited by bad actors. There are many reasons why a network becomes vulnerable, such as a lack of security updates or weak authentication.

The question is if a network or networks are at risk of being exploited what can be done to prevent or ensure that it's secure against attacks?

There are different types of security methods to detect and prevent networks and systems against malicious activities, one of which is called an Intrusion Prevention System (IPS).

Let’s explore what IPS is about.

An Intrusion Prevention System (IPS) also known as an Intrusion Detection Prevention System (IDPS), is a network security tool or software application that monitors network traffic for malicious activities or policy violations and implements automated actions to prevent them.

This includes detecting known vulnerabilities such as operating system exploits, brute force attacks, buffer overflow, or an SQL injection.

IPS sits inline to monitor any traffic going by in simple terms, it is programmed to watch network traffic, and when a threat is detected, the network manager or Security Operations Centre (SOC) staff is alerted, and necessary actions are deployed to prevent intrusion.

IPS uses three detection methods, either solely or in combination, to analyse network traffic. These methods are:

Signature-Based Detection - IPS compares network traffic to a database that contains known attack signatures or patterns. If it finds a match, it blocks the threat. This method works for identifying attacks that have been documented and may miss unknown attacks.

Anomaly-Based Detection - IPS creates a reference or guideline to determine normal network behaviour and if there's a difference in network behaviour or pattern it flags it as a potential threat.

Policy-Based Detection - The IPS follows security rules defined by an administrator. If any traffic violates these rules, it is blocked.

An intrusion prevention system is typically behind a firewall; every packet moves past it and is inspected by the system. When it spots an anomaly, the IT administrator or SOC staff is notified, while the IPS deactivates any threat.

This system is always working non-stop, and in real-time to protect a network against any form of attack, and it doesn't require the input of a SOC personnel or network manager because it has been programmed to prevent invasion with or without help.

In an inline configuration, we have;

Internet ‒ firewall ‒ IPS ‒ Core Switch

The IPS sits inline between the firewall and the core switch and actively monitors traffic. As traffic passes between the core switch and firewall the IPS examines all traffic for potential threats, if there is, it instantly blocks traffic in the IPS.

Being an inline system, one of its limitations is that it can fail occasionally. The failure could be a hardware issue, a software bug, or a power issue. When the network fails, the system can be configured or engineered to operate in different failure modes.

Fail-Open Mode: When there’s a system failure, data will continue to flow through the connection, meaning there won’t be any security processes occurring during this time and the network will continue to run.

Fail-Closed Mode: When the system fails or crashes data doesn’t flow, and the security processes would not operate, and the network connection would halt all communication.

Having a system that is fail open or fail closed is important when the device is inline and performing active monitoring. The default configuration of IPS is often active monitoring; however, some organizations prefer passive monitoring.

Let's explore what these terms mean;

Active Monitoring: In active monitoring, the IPS is connected inline. In an active monitoring system, when the IPS detects a threat or an outage occurs, it can lead to network downtime. Another concern is that the IPS might block legitimate traffic due to its aggressive approach to identifying potential threats, even when they are not malicious.

The advantage of active monitoring is that when traffic passes through the network and the IPS, threats can be identified and blocked immediately, preventing them from reaching the core switch.

Key Points

• The system is connected inline.

• Data can be blocked in real-time.

• Intrusion Prevention is active.

Passive Monitoring: In passive monitoring, devices communicate through a switch, which takes a copy of the traffic and sends it to the IPS for analysis. Since the IPS is not inline with the normal network communication between the devices and the switch, it cannot cause network downtime. However, because it is not inline, its ability to block traffic is limited.

Passive monitoring requires a method for receiving a copy of network traffic, such as SPAN (Switched Port Analyzer) or a physical network TAP to break into a physical connection without disrupting it. When a traffic is sent to the switch, it is duplicated; one copy is sent to the destination, and the other is sent to IPS for evaluation.

This way, identifying and alerting on malicious traffic does not interfere with the traffic flow.

Key Points:

• A copy of the network is examined using a tap pr port monitor

• Data cannot be blocked in real-time

• Intrusion detection is commonly passive

Types of Intrusion Prevention Systems include;

Network Intrusion Prevention System (NIPS): NIPS is a security solution designed to prevent unauthorized attacks, and malicious activities on a network, it also extends its feature by taking automated actions to stop or mitigate threats in real-time. Example - Cisco Firepower

Key Functions:

• Traffic monitoring

• Threat prevention

• Automated responses

Host Intrusion Prevention System (HIPS): HIPS monitors inbound and outbound traffic from devices. It is installed on individual endpoints such as servers or laptops and protects specific devices by monitoring log files, system behaviour, and other activities. Example - OSSEC

Key Functions:

• Detect and Prevent attacks against individual host

• Blocks unauthorized changes to system files

• Provides security for a specific device

Network Behavioural Analysis (NBA): NBA detects abnormal traffic patterns without relying on predefined attack signatures. It collaborates with NIPS to provide a more efficient security solution. Example - Cisco Stealthwatch

Key Functions:

• Identifies behaviour like unauthorized access attempts

• Detects Zero-day attacks and other unknown threats

• WIPS uses machine learning and AI to enhance threat detection.

Wireless Intrusion Prevention System (WIPS): WIPS monitors Wi-Fi networks and secures them by detecting and preventing unauthorized access points and other malicious activities. Example - Aruba WIPS

Key Functions:

• Scans Wi-Fi access points

• Detects man-in-the-middle attacks and rogue clients.

• Automatically removes unauthorized devices

These solutions can handle different types of attacks including;

Buffer Overflow: An attacker exploits vulnerabilities in a buffer (temporary storage area in memory) by writing more data than it can hold. This excess data overflows into adjacent memory causing corruption or crashing the execution of an application.

DDOS Attack: The attacker floods a network with traffic from distributed computers to overwhelm the system causing it to become unavailable for users.

Ping of Death: The attacker uses a ping command to send malformed packets to crash a system

Port Scanning: The attack is directed at a port, to find an opening that can be exploited.

SYN Flood: A large volume of SYN(Synchronised) packet is sent as a connection request to overwhelm a firewall or server.

Secure Socket Layer Evasion: The attacker uses secure socket layer (SSL) and transport layer security (TLS) encryption to hide malicious traffic, allowing it to bypass network security undetected.

Common IPS tools include;

Snort

Snort is an open-source network intrusion detection and prevention system. It uses a series of rules that help define malicious network activities. Those rules are used to find packets that match against these activities and generate alerts for users.

Suricata

Suricata is an open-source intrusion detection and intrusion prevention system that keeps the network safe from sophisticated threats. It can inspect multi-gigabit traffic and its engine is built around a multi-threaded, modern, clean, and scalable code base. It will automatically detect protocols such as HTTP on any port and apply detection and logging logic to help find malware.

Cisco IPS

Cisco IPS can detect, flag, and analyze suspicious files and unidentified threats. It enhances security and visibility by sharing data from your network, which helps optimize and improve security measures and threat response.

OSSEC

OSSEC is a free, open-source host-based intrusion detection system that can be used for intrusion prevention. It is designed to protect networks and endpoints. Its features include real-time log analysis, windows registry monitoring, policy monitoring, file integrity monitoring, and more.

Palo Alto Networks

Palo Alto Networks uses AI to prevent threats including Zero-day attacks and evasive malware. It offers multiple layers of protection during each phase of an attack, leveraging deep and machine-learning models to detect, block, and stop threats in real-time.

IPS solution is essential for maintaining a strong security posture, ensuring that network communication remains secure against various forms of attack. It monitors, detects, and prevents malicious activities in network traffic. Organizations can deploy different IPS tools based on their specific security needs.