Intrusion Prevention System (IPS) is a proactive protection technology that provides security at the network level. It’s the first line of defense against malware. An organization can not protect their network with just a firewall. Additional protection is needed to avoid potential risks and attacks. An Intrusion Prevention System adds the extra layer of protection by examining all network traffic that is allowed through the firewall. Previously Intrusion Prevention Systems simply protected operating system threats or denial of service and distributed denial of service attacks.
These threats exploited vulnerabilities that were mostly in the operating system stack and services. Over the years these operating system components have become more robust to where they are not prone to vulnerabilities as much. With PC use becoming more centered around users doing more on online activity, which means more dependence on web browsers and plug-ins to interact with different web sites and services. This has created opportunities for hackers to move their attacks from operating systems to exploiting vulnerabilities in applications. Now attacks are more likely to hit your web browser, document viewers, media players, etc.
Most websites securities are not up to par in which easy attacks can take place on websites that users visits. These attacks can download malware on web pages that are legitimate to users. Users become infected after being tempted into visiting bad sites through means of social engineering scams, fake e-mail from friends, the bank, and messages on social networking sites. These are all examples of how easy it is to get users to visit these dangerous sites. To fight against these threats, an IPS has the smarts to protect the system against vulnerabilities.
In addition the IPS scans all network traffic as well as specific browser protection. Before deploying an Intrusion Prevention System one must understand what is going to be protected. In most cases it’s usually an organizations applications and servers. The network administrator would also want to include protection for desktops, routers, switches, mail server, DNS servers and other networked attached devices. With an IPS you don’t want to have unrealistic expectations or plan aggressively when you are first deploying an Intrusion Prevention System.
It is best to concentrate on the perimeter and external services such as FTP, email, and Web services. The protected services and resources should be the most critical, and relying on one type of protection like a firewall is impractical and insufficient. Once you know what you want to protect, you can then think about the things you want to protect them from. An organization may have some type of protection for Trojans and worm attacks, but may not have protection for their critical processes like application attacks or insider attacks, which could represent an internal threat.
A successful IPS deployment includes being able to define the threats you wish to protect your systems from. Understanding the threats to protect your environment from plays a tremendous impact on the deployment requirements. There are classifications for most exploits, spyware, and malware that could find their way into an organization’s system. It is important to classify threats so that they can be handled effectively as a group instead of individually. At many levels threats have common behavior in how they act, infect and spread.
The administrator would need to invest time tuning the IPS to the organization’s specific environment. Placement of sensors is important for a successful IPS deployment. Where you place the IPS devices it should maximize the sensors effectiveness. Any areas on the business’s infrastructure or applications are risk areas. Typically, IPS devices are deployed behind firewalls and WAN routers, in front of server farms or similar collections of resources, and at other network access points.
The IPS architecture in this paper shows protection at the point of internet access, desktops accessing application servers, database servers, as well as protection at the e-mail server and DNS server. These are the typical target areas where extra layer of protection is needed. With the different sensors in place, the network administrator can not only tune the IPS against attacks, but also balance network traffic and alert the network administrator when a threat or attack is happening, and then taking proper action.
In conclusion a successful IPS design and deployment will require understanding the needs of the organization’s system for real-time threat protection, determining the right placement points for your IPS deployment, taking the time to tune your system correctly, and doing an evaluation of your overall system and use. You want to provide the best protection for your company’s system, and limit the means of threats and attacks. Deploying an IPS along with other protection devices and software would help in lowering the organization’s vulnerabilities.