In addition to firewalls that provide a hardware level fence around an organizations enterprise, it is becoming increasingly clear a strong Intrusion Prevention System (IPS) is also necessary. An IPS is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state), or can potentially access to all the rights and permissions available to the compromised application.
The IPS often sits directly behind the firewall and provides a complementary layer of analysis that negatively selects for dangerous content. The IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network. Specifically, these actions include:
- Sending an alarm to the administrator
- Dropping the malicious packets
- Blocking traffic from the source address
- Resetting the connection
As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near real-time.
The IPS must also detect and respond accurately, so as to eliminate threats and false positives (legitimate packets misread as threats).