Intrusion Protection System

From Glitchdata
Jump to navigation Jump to search

The IPS often sits directly behind the firewall and provides a complementary layer of analysis that negatively selects for dangerous content. Unlike its predecessor the Intrusion Detection System (IDS)—which is a passive system that scans traffic and reports back on threats—the IPS is placed inline (in the direct communication path between source and destination), actively analyzing and taking automated actions on all traffic flows that enter the network. Specifically, these actions include:

  • Sending an alarm to the administrator (as would be seen in an IDS)
  • Dropping the malicious packets
    • IPS could prevent malware attack (eg. install a rootkit). The IPS would refuse to permit the installation without the consent of an administrator.
    • Host-based IPS should detect any attempts to change files on the server, regardless of how access was obtained.
  • Blocking traffic from the source address
  • Resetting the connection
    • As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near real-time.
    • The IPS must also detect and respond accurately, so as to eliminate threats and false positives (legitimate packets misread as threats).