Intrusion Prevention Systems (IPS) are network-based devices or host-based applications that protect systems against computer hacking attacks by analyzing each message passing through it.
How do Intrusion Prevention Systems (IPS) work?
Intrusion Prevention Systems (IPS) analyzing each message passing through it for:
- messages that match any of the thousands of known attack patterns or "signatures,"
- messages that violate domestic and international networking standards,
- attempts to scan network devices,
- denial of service attacks,
- reconnaissance activity (i.e., testing computers to find less protected systems).
Once an attack is detected, the IPS can be configured to take any of the following actions:
- It can capture information about the attack to a log file.
- It can continue to capture subsequent data from a suspicious source.
- It can drop the message completely.
- It can drop subsequent messages from a suspicious source.
- It can e-mail and/or page appropriate support personnel.
Types of network-based IPS solutions
- In-line Intrusion Prevention Systems: An in-line IPS must positioned between the untrusted network environment and the trusted network it is intended to protect. All traffic that is to be screened must pass through the IPS for analysis and, if certain criteria are met, for discard.
- Out-of-band Intrusion Prevention Systems: An out-of-band IPS is connected to the network infrastructure in a manner that allows it to view all traffic passing through the networking equipment without being physically between the sending and receiving devices. Since the network traffic does not pass through an out-of-band IPS, it cannot merely drop communication messages that it determines are malicious. Instead, the out-of-band IPS issues transactions to both devices to mimic a break in their communication session which should cause the offending message to not be processed by the receiving computer.
The University has chosen to deploy in-line IPS solutions primarily because there is less certainty that an out-of-band IPS will stop the processing of all identified malicious communications traffic.
Even though the University has centrally managed intrusion prevention systems, the use of a departmentally managed IPS can provide value by protecting departmental systems against attacks by any computer on our network that has been infected by a virus or any other form of malicious software. Additionally, it is likely that a departmental IPS can be configured with a more aggresive set of rules than we can deploy centrally due to the diversity of computer equipment we must support.