We regularly deploy IPS (Intrusion Prevention System) solutions for our clients at their network edge as part of their managed firewall solution. An IPS should be used by any organisations that do business online or operate within the financial services, legal, accounting, banking or healthcare sectors.
What we frequently find is that many businesses do not understand the role of an IPS, and for those that do – they believe an IPS is only used in highly secure environments. In this post, we explain what an IPS is and how it works.
Is antivirus software still relevant?
A proportion of malware and viruses can often go undetected by standard antivirus software – particularly custom-malware which is often used in targeted attacks. This is a worrying fact, especially given how many businesses rely solely on antivirus as their only form of defence! A general recommendation is a defence-in-depth approach, and an IPS is a key component of that strategy.
What is an IPS?
In brief, an IPS is a system that tries to identify threats and attacks through a combination of pattern recognition, anomalous behaviour and traffic signatures. We implement IPS solutions at the network edge as part of a firewall solution, so in the context of IPS – the systems scan all inbound and outbound network traffic, trying to spot potential attacks or behaviour that typically proceeds any attack (e.g. network enumeration).
Fortinet describes an IPS as:
a technology protects networks from both known and unknown threats, blocking attacks that might otherwise take advantage of network vulnerabilities and unpatched systems.
..
FortiGate® IPS technology leverages a database of thousands of unique attack signatures to stop attacks that might evade conventional firewall defenses, plus anomaly-based detection that enables the system to recognize threats for which no signature has yet
How does an IPS protect a business?
You may ask if your business has antivirus, then what sort of malware/attacks can an intrusion prevention system stop? The key thing to emphasise is that not every attack or exploit can be classified as a virus. Often antivirus can begin to work only after the horse has bolted – which is often too late.
Some examples of an IPS:
- Someone on the internet has opened 1000s of connections to your mail server. If this was to continue, the mail server would be starved of resources and be unable to function. An IPS would detect this anomalous behaviour and block the attacker. This is not a virus or malware.
- A user has browser to a website that is trying to instantiate the Adobe PDF viewer in a malicious fashion, the IPS blocks this.
- An attack is scanning your IP range, the IPS identifies this behaviour as an enumeration attempt, assumes ill intent – and blocks the attacker.
- A malicious web request is sent to your website, this specially crafted request is designed to exploit your web server, this is identified and blocked.
Furthermore, leading intrusion prevention systems are linked to the Cloud, this link provides shared intelligence and a centralised threat resource. If an attack is experienced in the UK and the signature is well known, then this same signature can be distributed to other IPS systems.
Custom IPS
The Fortinet IPS systems has several thousand pre-build signatures that are constantly updated. If your business has its own web application or portal, then a Custom signature can be written to help safeguard your system.
For example:
- When someone logs into your financial services portal, if they get their password wrong, the browser responds with “Error 2301 – Password incorrect”
- An IPS can log the number of this occurrences per IP address, if that exceeds a threshold, it will block the IP on the firewall!
Key points
- We can deploy an IPS system as part of a firewall security solution.
- An IPS will scan traffic in real-time.
- This provides comprehensive security controls that compliment the security provided by antivirus and firewall solutions.
- An IPS protects against a whole range of attacks, not just viruses.
- The IPS can be installed on LAN or DMZ segments, alongside existing firewall environments.
Your business must plan to protect against all threats; not just current threats, but all threats, known and unknown. Speak to MTG about how an IPS can enhance the security within your business.
