What is An Intrusion Prevention System (IPS)? Why Every Network Needs a Firewall Failsafe.

Diagram showing how an Intrusion Prevention System works

Thankfully, most companies now understand that if you want to use the internet safely, you need a few things in your toolkit: a powerful, modern firewall; enterprise-grade antivirus coverage; and a smart team to pre-empt potential IT security problems. These three factors are widely accepted as “must haves”.

However, there is another factor that often gets overlooked…

A feature that can detect incoming hacking attempts, malware, and other more dynamic, evasive threats…

A system that should sit behind any enterprise-level firewall

In this article, we’ll answer the question, “What is an Intrusion Prevention System?”, commonly known as an IPS.

Intrusion Prevention Systems (IPS)

An IPS or Intrusion Prevention System is a software module that actively inspects incoming and internal network traffic for potential threats like hacking attempts and malicious code.

If it detects in real time that a particular traffic flow is potentially dangerous, then those data packets are blocked or dropped – either way, they’re denied entry.

An Intrusion Prevention System sits as an extra vital layer of protection for your users.

What Threats Do IPSs Protect Against?

The exact threats that an IPS can detect and prevent will naturally differ between specific solutions, but on the whole, IPSs are built to prevent malicious activity such as:

  • Hacking Attempts: Hackers can try and make their way into a network for all kinds of nefarious ends – be it to steal data, carry out corporate espionage, perform reconnaissance for a future attack, spread malware, the list goes on!
  • Denial of Service (DoS) Attacks: In this kind of attack, the hacker floods a server or system with access requests. The swamped system becomes sluggish, unusable, and unstable. If the asset they target is particularly business-critical, then business will likely also slow to a crawl too.
  • Malware & Exploits: IPSs also scan traffic for known malware threats, monitor the network for known nefarious traffic patterns, and uphold pre-existing security policies.
  • Data Theft & Breaches: Many high-end Prevention Systems can actively block data from leaking from a single device en masse. Some even include DLP (data loss protection) capabilities that can identify that sensitive data is in transit and stop it from leaving the network.

How do IPSs Work?

Code on a screen showing how an IPS could function

Intrusion Prevention Systems operate by employing three methods of detection:

  • Signature-Based Detection: The IPS refers to global databases of known network and IT security threats to identify malicious packets and traffic patterns moving into or around the network. It can then step in and stop known threats from moving further.
  • Anomaly-Based Detection: This is essential for identifying newer threats, or those that behave more dynamically, as they’re less likely to appear in a signature database. To achieve this, the IPS continually observes the network and establishes what “normal” behaviour patterns and traffic flows look like. When the Intrusion Prevention System observes potentially threatening activity that goes against the norm, it steps in and takes remedial action.
  • Policy-Based Detection: This is when a network’s technicians set custom rules for network behaviour and security policies. If a particular threat comes up time and time again, it may be worth setting it as a manual policy rule within the IPS.

Many modern IPSs and firewalls utilise some level of DPI (Deep Packet Inspection) to “unpack” data packets as they come in to make sure nothing dangerous is lurking within.

What’s the difference between an IPS and an Intrusion Detection System (IDS)?

You may have heard about a similar kind of system called an IDS or an Intrusion Detection System. The two systems are very similar but IPS is a newer, more proactive concept.

Both IDS and IPS can sit within the firewall and inspect traffic as it comes in, and nowadays both usually monitor outgoing traffic too.

However, the difference lies in what they do once a threat is detected – and there’s a clue in their names.

Intrusion Detection Systems merely detect these threats and alert a technician to intervene. Intrusion Prevention Systems, however, actively and independently stop potentially dangerous traffic from travelling into/around your network rather than merely shouting for help!

What is a Wireless Intrusion Prevention System (WIPS)?

The growing reliance on wireless networking brings with it its own benefits – and its own ways for hackers to interfere.

Wireless Intrusion Prevention Systems consistently monitor the Wi-Fi radio frequencies within your network’s range for unauthorised activity. WIPS can detect “evil twin” access points pretending to be your network, unknown access points operating within range, and can block your team’s access to neighbouring Wi-Fi networks that may pose a threat.

WIPS functionality is usually administered through WIPS-enabled Wi-Fi access points that both provide wireless coverage and scan the airwaves for hidden dangers.

If you use both wired and wireless networking, we’d advise investing in both an IPS and a WIPS as they defend against very different security issues.

Related Reading: 7 Enterprise Wi-Fi Risks You Need to Know About Today

So a Firewall Alone Isn’t Enough?

Alas, not really.

Though firewalls are essential for any enterprise-level network, their functionality is often a little robotic – especially if the device is older.

Firewalls can inspect and filter based on numerous factors about incoming data packets – ports, protocols, packet headers, the packet’s source, its intended destination, and so on.

Though these checks are important, this limited remit often leaves firewalls unable to detect more dynamic threats that comprise a malware exploit or hacking attempt.

In these cases, protocols, packet headers, destinations, etc. may appear totally safe as far as the firewall’s rules are concerned, but could actually pack a hidden punch.

Additionally, firewalls are only concerned with incoming and outgoing traffic, whereas many Intrusion Prevention Systems can identify issues as they travel around the network too.

Some older firewalls also suffer limited oversight over web applications, which can result in exploits creeping in unnoticed.

Want Your Own IPS?

If you’re not currently using an IPS, or you’d like to upgrade from an IDS, Just Firewalls supply two systems that might suit: one from WatchGuard and one from SonicWall.

watchguard firebox ad

WatchGuard: Intrusion Prevention as Standard

WatchGuard’s IPS functionality comes as standard within any of their WatchGuard Firebox hardware.

Through their easy-to-use management console, you can define the level of scanning you require (a basic check or a deep packet inspection scan), as well as what you’d like the IPS tool to do with malicious traffic in different circumstances.

The tool looks for signature updates every hour and applies these updates automatically.

IPS is included as a part of WatchGuard’s security services which also include content filtering, spam prevention, application control, and a gateway antivirus as standard.

sonicwall agss banner

SonicWall: IPS via AGSS

SonicWall has a similar security suite called Advanced Gateway Security Suite (AGSS), which includes a gateway antivirus and intrusion prevention system. This is available as a 1-5 year licence with our SonicWall firewalls.

SonicWall uses deep learning to analyse inputs from over a million security sensors worldwide, uncovering new threats and deploying definition updates in mere minutes.

AGSS also uses high-tech reassembly-free deep packet inspection; features robust application and content controls; and includes Capture ATP – SonicWall’s excellent sandboxing service.

Both have their pros and cons, so why not let the experts pick for you?

Get in touch with the team here at Just Firewalls and claim your FREE network security health check.

We’ll discuss your existing network solutions (and any cybersecurity worries you might have) and make suggestions as to how to improve your existing setup – all for free and with no obligation to buy a thing!

Call the team on 0808 1644414 today or fill in a few basics here to request a call back.