Most of the discussion surrounding network perimeter security architectures tends to focus on how to keep attackers out and valuable assets safe inside. But what happens when the outer defenses fail and an attacker gets inside, what does your security plan call for then?
Like any perimeter-based security architecture, there have to be measures put in place to deal with those who breach inside and that is exactly what an intrusion prevention system is made for. Specifically, we’re going to focus on network intrusion prevention systems with a little insight into other forms of intrusion prevention.
So, let’s dive into one of the last lines of defense in your perimeter security.
- Network Intrusion Prevention System (NIPS) is a type of network security software that detects malicious activity on a network, reports information about said activity, and takes steps to block or stop the activity from occurring automatically.
- An intrusion prevention system, specifically a NIPS, uses packet inspection as well as anomaly, signature, and policy-based inspections to evaluate whether the traffic is legitimate or not.
- A full transformation to a perimeterless architecture is a costly venture that requires a major overhaul of your entire networking and security stack.
Table of Contents
What Is a Network Intrusion Prevention System and How Does it Work?
Starting off, a network intrusion prevention system (NIPS) is a type of network security software that detects malicious activity on a network, reports information about said activity, and takes steps to block or stop the activity from occurring automatically. This is an expansion of capabilities over an “intrusion detection system,” which you can guess by the name only detects threats but doesn’t take any active steps to prevent them. The NIPS lives within the network perimeter between the firewall and the router as a sort of checkpoint and enforcement point for network traffic passing through.
A network intrusion prevention systems use three types of intrusion detection:
- Signature: Detects attacks based on specific patterns, such as network traffic, number of bytes, and known previous attacks
- Anomaly: Systems use machine learning to create a model of trustful activity and compare the current activity with it
- Policy: Relies on predetermined network traffic baselines and activity outside of that baseline is seen as a potential threat to the network; requires a systems administrator to configure security policies manually
More advanced intrusion prevention systems can rely less and less on policy-based detections, and more on anomaly and signature-based detections. Once the intrusion prevention system has detected a threat, it takes steps to alert administrators of the issue, then acts to drop packets from the offending source or reset the connection between the network and the source.
Sometimes an intrusion prevention system can work in conjunction with a honeypot within the demilitarized zone (DMZ) of a network to detect malicious traffic and send them to a fake source of seemingly valuable data separate from the actual network. This allows network security personnel to observe and learn more about continuous threats to the network and build new signature-based security policies.
What’s the Difference Between an Intrusion Prevention System and Firewall?
Traditionally, firewalls and intrusion prevention systems block traffic at two completely different levels. A firewall exists to allow or block traffic based on network protocol and port levels. While this is helpful for blocking some attack methods, attackers are also capable of using legitimate protocols and ports to send malicious traffic over the network.
Standard firewalls ― stateful and stateless ― don’t perform any packet inspection to determine the quality or legitimacy of traffic, but rather to evaluate the levels of traffic, where the traffic is originating, and so on.
An intrusion prevention system, specifically a NIPS, uses packet inspection as well as anomaly, signature, and policy-based inspections to evaluate whether the traffic is legitimate or not. It’s a misconception that if you have a firewall then an IPS solution isn’t needed to protect your network (or vice versa). This couldn’t be further from the truth. You need both solutions to detect and protect from intrusions on a protocol and packet content level.
The Line Between IPS and Firewall Systems Is Blurring
The good news is we’re moving toward a future where firewalls and intrusion prevention systems are converging into next-generation firewall solutions that perform both functions. These next-generation firewalls are capable of detecting and blocking intruders on all levels, giving you the best of both worlds. These next-gen firewalls are also moving into the cloud, along with network perimeters via virtualization, meaning you won’t have to manage network hardware like switches, routers, and firewalls.
This type of perimeter also follows you wherever you go in an architecture known as secure access service edge (SASE) where all of the security of a next-generation firewall along with the rest of your security functions all work in coordination with one another on a cloud-based network. This is a very exciting and transitory time for networking and security functions.
In the meantime, though, that’s the difference between an IPS and a firewall. You can’t have one without the other in today’s modern computing world.
Other Types of Intrusion Prevention Systems
- Wireless Intrusion Prevention System
- Host-based Intrusion Prevention System
Not all IPS systems are made to prevent network intrusions. These are the other types of intrusion prevention systems that work in tandem with NIPS solutions.
Wireless Intrusion Prevention System
A wireless intrusion prevention system (WIPS) operates similarly to a standard network intrusion prevention system with a few differences. Instead of working inline between the firewall and network router, the WIPS monitors frequencies for rogue and unauthorized wireless access points (WAPs) to the network. Once the WIPS detects these unauthorized access points, an administrator is notified of this breach and drops the connection.
Host-based Intrusion Prevention System
Unlike a network intrusion prevention system, a host-based intrusion prevention system (HIPS) is an installed software solution meant to stop malware attacks by monitoring code, logs, directories, registries, and files. This is different from antivirus and antimalware software, which is meant to block the installation and execution of malware through known activity signatures and heuristics. HIPS isn’t just looking for malware.
Instead, HIPS serves a broader purpose of tracking any unexpected changes within the file systems of a computer, analyzing system and application log files, and scanning system components to detect any irregularities. In its processes, it may detect malware on a system, but that isn’t the primary focus.
Is Your Security Perimeter Due for a Refresh?
The truth is, a full transformation to a perimeterless architecture is a costly venture that requires a major overhaul of your entire networking and security stack. This is something best suited for major enterprises for now in its early stages as the wrinkles are sorted out and before the price tag begins to fall.
So, where does that leave your small or medium-sized business (SMBs)? Well, you could always look into updating and refreshing your network perimeter.
What To Do Next
There are lots of ways to update your perimeter architecture, from investing in a next-generation firewall to upgrading your VPN provider. Digital.com has all of the resources, guides, and reviews you need to make an informed decision when finding all kinds of new cybersecurity solutions. Be sure to check back regularly for new updates and content as these solutions and vendors change quite frequently to meet the demands of today’s remote and hybrid workforce situations.