Intrusion Prevention System (IPS)
An intrusion prevention system (IPS) is a security appliance or software that combines detection capabilities with functions that can actively block attacks.
- provides an active response to any network threats that it matches
- preventative measures:
- end the session by sending a TCP reset packet to the attacking host
- apply a temporary/permanent filter on the firewall to block the attacker’s IP address
- called shunning
- advanced measures:
- throttling bandwidth to attacking hosts
- applying complex firewall filters
- modifying suspect packets to render them harmless
- redirect traffic to honeypot or honeynet
- may be able to run a script or third-party program
- to perform some other action not supported by the IPS software itself
- commonly built into firewall appliances and proxy servers
- IPS-enabled firewall is inline with the network
- means all traffic passes through it
- single point of failure if there is no fault tolerance mechanism
- means all traffic passes through it
- must be able to:
- handle with high bandwidths
- process each packet very quickly to avoid slowing down the network
Types
Detection Types
Tools
- Snort
- uses a rule-driven language, which combines the benefits of signature, protocol, and anomaly-based inspection methods, providing robust detection capabilities
- open-source
- Suricata
- high-performance open source IDS/IPS/NSM engine
- designed to take full advantage of modern hardware
- deliver higher performance and scalability than Snort
- can function as an IDS or an IPS
- compatible with Snort rulesets
- Security Onion
- is a Linux distribution designed for intrusion detection, network security monitoring, and log management
- includes many tools to provide a complete platform for network security
- Snort
- Suricata
- along with a host of other tools
- provides a holistic view of network activity
- enables correlating data from different tools to obtain a comprehensive understanding of the network’s security posture