Stay Current


Double Your System Security

Intrusion prevention analyzes packets inside the firewall – and blocks malware and problems that other security products miss.

Brian Robinson

Intrusion prevention has been around almost as long as its close cousin intrusion detection, but it’s only recently that it’s gotten any respect. That was after the Slammer and Blaster worms of 2003 flattened tens of thousands of systems around the world through denial-of-service attacks, and once people realized that firewalls and even intrusion detection systems (IDS) weren’t enough to stop increasingly sophisticated malware.

Fast moving attacks like Slammer and Blaster spread too quickly. By the time they are noticed and alerts and signatures transmitted they’ve already done their damage.

Related Articles:

Malware that gets inside the firewall either disguised as legitimate traffic or embedded in an otherwise innocuous-looking data packet is also difficult to pick up with conventional security.

What companies need is something that can analyze packets once they are inside the firewall and drop or block the problem ones before they can do any damage, or protect the organization’s servers and computers if the bad stuff gets that far.

Enter IPS. Though it’s often confused with IDS the two are different animals. IDS sits to the side of the packet stream and passively monitors it, or monitors event and system logs on a server, and sends out an alert about any suspicious data or activity it sees.

Doing something about it, however, requires that alert to be picked up quickly and acted on. Often, the dangerous data has gone through and affected systems before it can be tackled and all that’s left is to clear up the mess and try to make sure the same thing doesn’t happen again. An IPS, on the other hand, is proactive and can actively block suspicious data.

Network vs. Hosted IPS

There are two kinds of IPSs: network-based and host-based.

Network IPS, or NIPS, sits inline on the network, usually as an appliance. In the most usual type of detection method the IPS examines each data packet as it passes through the device, comparing them to a list of signatures of known threats and vulnerabilities.

Unlike other blocking devices such as a firewall, however, an IPS can look deep into a packet to detect any hidden problems.

Another method used in a NIPS is rate-based detection, where the IPS tracks the rate at which connections come into Web servers. It’s particularly useful in stopping denial-of-service attacks, which often try to overwhelm the servers with a massive volume of requests.

The other common detection method is protocol analysis, where the IPS looks for deviations in the behavior of the network itself. That might not be so good in stopping the initial attack, but it can quickly tell when an affected system is being used to attack others and help throttle the problem traffic.

A host-based IPS, or HIPS, is a software agent that resides on servers and workstations, looking for at what applications do and what calls are made to the operating system in order to detect any anomalous behavior that deviates from a set of prescribed rules and policies.

This isn’t proactive in the sense that a NIPS can actually interfere with data packets, but it can be set to apply actions defined by an administrator, such as stopping an application from executing certain code in the event that what’s driving it is malware.

That capability will protect an enterprise well from zero-day attacks, for example, which attack vulnerabilities in operating systems or applications before patches can be applied or the vulnerabilities are even widely known. It will also protect from insider attacks that other security systems would have trouble detecting.

What to Ask

Choosing an IPS system will depend on various things, and knowing what it will or won’t do. A NIPS device will plug into the network and not need much looking after, it won’t add to server overhead since it contains its own processor, and it will be independent of any operating system. It won’t be able to detect encrypted traffic, however.

As an inline device it’s part of the network fabric, so its packet processing rates should meet the rated speed of the device under real-life network conditions, with all signatures enabled. Latency of the device should be as close as possible to that of network switches.

A HIPS will add to server overhead and, given that one system needs to reside on each protected server or computer, it could turn out to be expensive to both deploy and maintain.

On the other hand, it’s the only thing that will provide active protection of mission-critical assets such as Web servers and databases, and it will catch attacks missed by the NIPS. It will also detect attacks in encrypted traffic.


The way IPS is used in enterprise protection is starting to change. An IPS has often been used as a standalone device in conjunction with a firewall as part of a layered network strategy, for example. Next Generation Firewall technology takes that to a logical conclusion by merging deep packet inspection with an intrusion protection engine in a single package, along with other things such as antivirus protection.

Analysts such as Gartner Research expect the IPS market will start skewing towards its use in these Next Generation Firewall as early as 2008, and many vendors are already starting to produce firewalls with these capabilities.

Another recent trend has been to include intrusion prevention as an integral part of network access control (NAC) solutions, by linking device and enterprise user policies to an IPS so that traffic from unauthenticated users or non-compliant devices can be blocked.


Related Articles

The Hidden Cost of IT Security

Making a Case for Intrusion Prevention Systems (IPS)

The Open Source Security Motherload: 105 Tools, Applications and Resources

IPS Buyer’s Guide



All fields are required. Your E-mail will not be published.

Newsletter 160x600 v1