How Intrusion Prevention Systems (IPS) Work in Firewall

Intrusion prevention and the firewall are part of Network Threat Protection. Network Threat Protection and Memory Exploit Mitigation are part of Network and Host Exploit Mitigation.

Intrusion prevention automatically detects and blocks network attacks. On Windows computers, intrusion prevention also detects and blocks browser attacks on supported browsers. Intrusion prevention is the second layer of defense after the firewall to protect client computers. Intrusion prevention is sometimes called the intrusion prevention system (IPS).

Intrusion prevention intercepts data at the network layer. It uses signatures to scan packets or streams of packets. It scans each packet individually by looking for the patterns that correspond to network attacks or browser attacks. Intrusion prevention detects attacks on operating system components and the application layer.

What is Intrusion Prevention System (IPS)?

An Intrusion Prevention System (IPS) is a security solution that provides security against unauthorized access and malicious activities at the network level. Unlike Intrusion Detection System that only monitors the network traffic, an Intrusion Prevention System also ensures protection against intrusions that takes place on the network. Main function of an Intrusion Prevention System is to analyze all the inbound and outbound network traffic for suspicious activities and perform appropriate actions instantaneously to prevent the intruders from entering into the internal network.

IPS offers proactive detection and prevention against unwanted network traffic by preventing it to reach to its intended victim. An IPS, when deployed correctly, immediately drops the detected unwanted or malicious data packets that may cause severe damage to the network and the resources that the network may have. An Intrusion Prevention System can be quite handy against various network security attacks such as brute force attacks, Denial of Service (DoS) attacks, vulnerability detection. Moreover, an IPS also ensures prevention against protocol exploits.
Intrusion Prevention System is also known as active security solution as it does not just detect the potential security threats on the network, but it also takes immediate actions against it in order to prevent the current attack and the similar ones that the intruders may initiate in future.

The other functions that an Intrusion Prevention System can perform include:

  • Blocks network traffic from the offending source IP addresses.
  • Resets the TCP connection
  • Corrects un-fragment packet streams
  • Corrects Cyclic Redundancy Check (CRC) errors
  • Checks TCP sequencing issues
  • Sanitizes unsolicited transport and network layer options.

How Intrusion Prevention System Works?

An Intrusion Prevention System is considered to be a pretty secure solution as compared to Intrusion Detection System due to its proactive threat detection and prevention capabilities. An Intrusion Prevention System works in in-line mode. It contains a sensor that is located directly in the actual network traffic route, which deep inspects all the network traffic as the packets passes through it. The in-line mode allows the sensor to run in prevention mode where it performs real-time packet inspection. Because of this, any identified suspicious or malicious packets are dropped immediately.

An Intrusion Prevention System can perform any of the following actions as it detects any malicious activity in the network:

  • Terminates the TCP session that is being exploited by an outsider for the attack. It blocks the offending user account or source IP address that attempts to access the target host, application, or other resources unethically.
  • As soon as an IPS detects an intrusion event, it can also reconfigure or reprogram the firewall to prevent the similar attacks in future.
  • IPS technologies are also smart enough to replace or remove the malicious contents of an attack. When used as a proxy, an IPS regulates the incoming requests. To perform this task, it repackages the payloads, and removes header information that incoming requests contain. It also has the capability to remove the infected attachments from an email before it is sent to its recipient in the internal network.

Intrusion Prevention System uses four types of approaches to secure the network from intrusions which include:

  • Signature-Based — In Signature-Based approach, predefined signatures or patterns of well-known network attacks are encoded into the IPS device by its vendors. The predefined patterns are then used to detect an attack by comparing the patterns that an attack contains, against the ones that are stockpiled in IPS. This method is also referred to as Pattern-Matching approach.
  • Anomaly-Based — In Anomaly-Based approach, if any abnormal behavior or activity is detected in the network, an IPS blocks its access to the target device as per the criteria defined by the administrators. This method is also known as Profile-based approach.
  • Policy-Based — In Policy-Based approach, administrators configure security policies into an IPS device according to their network infrastructure and organization policies. If an activity attempts to violate the configured security policies, an IPS triggers an alarm to alert the administrators about the malicious activity.
  • Protocol-Analysis-Based — This approach is somewhat similar to Signature-Based approach. The only difference between Signature-Based approach and Protocol-Analysis-Based approach is that the latter can perform much deeper data packet inspection, and is more resilient in detecting security threats as compared to Signature-Based.

Categories of Intrusion Prevention System

  • Host-Based Intrusion Prevention System (HIPS) — A host-based IPS is a software application that is installed on specific systems such as servers, notebooks or desktops. These host-based agents or applications only protect the operating system and the applications running on those specific hosts on which they are installed. A host-based IPS program either blocks the attack from its end, or commands operating system or application to stop the activity initiated by the attack.
  • Network-Based Intrusion Prevention System (NIPS) — Network-Based IPS appliances are deployed in in-line mode within the network parameter. In Network-Based IPS, all the incoming and outgoing network traffic that passes through it is inspected for potential security threats. As soon as the IPS identifies an attack, it blocks or discards the malicious data packet to prevent it from reaching to the intended target.

A firewall that has integrated Network-Based IPS feature contains at least two Network Interface Cards (NICs). One is selected as internal NIC and is connected to the internal network of the organization. The other NIC is selected as the external one and is connected to the external link, which in most cases is the Internet.

As the traffic is received at either of the NICs, it is deep inspected by the detection engine of integrated NIPS. If the NIPS perceives a malicious data packet, it instantaneously drops the data packet and alerts the network security personnel about the event. After detecting a single malicious packet from the source, it then immediately discards all the other packets arriving from that particular TCP connection, or blocks the session permanently.

Did you find this article valuable?

Support Cyber Security by becoming a sponsor. Any amount is appreciated!