What Is an Intrusion Prevention System?

Plus how it differs from an intrusion detection system

Intrusion prevention systems (IPS) are some of the most important network security measures a network can have. IPS are what's known as a control system, as it not only detects potential threats to a network system and its infrastructure, but seeks to actively block any connections that may be a threat. This is different to more passive protections like intrusion detection systems.

What Is IPS Technology?

An intrusion prevention system constantly monitors network traffic, specifically at individual packets, to look for any possible malicious attacks. It collects information about these packets and reports them to system administrators, but it also makes preventative moves of its own. If an IPS detects potential malware or other kind of vindictive attack, it will block those packets from accessing the network.

It can take other steps, too, such as closing loopholes in the system's security that could be continually exploited. It can close access points to a network as well as configure secondary firewalls to look for these sorts of attacks in the future, adding additional layers of security to the network's defenses.

A conceptual image of a business man working on a network protected laptop.
Natali_Mis / Getty Images 

What Kind of Attacks Can IPS Prevent?

Intrusion prevention systems can look for and protect against a variety of potential malicious attacks. They have the ability to detect and block denial of service (DoS) attacks, distributed denial of service attacks (DDoS), exploit kits, worms, computer viruses, and other types of malware.

What Does IPS Do If It Detects an Attack?

An intrusion prevention system can detect various attacks by analyzing packets and looking for particular malware signatures, though it may also leverage behavioral tracking to look for anomalous activity on a network, as well as monitoring any administrative security protocols and policies, and whether they are violated.

If any of these detection methods discover a potential attack, an IPS can immediately terminate the connection that it is coming from. The offending IP address can subsequently be blocked if the IPS is configured to do so, or the user associated with it barred from accessing the network and any connected resources again.

An IPS may also change the local firewall settings to look out for such attacks again, and may even remove any remnants of an attack by stripping away malware affected headers, infected attachments, and malicious links from file and email servers.

IDS vs IPS

Intrustion detection systems (IDS) and intrusion prevention systems (IPS) might both be security related, but they have entirely different goals and means to that end.

There are many types of IDS and IPS and they all work a little differently. For IDS, there are network intrusion detection systems (NIDS) which sit at strategic points within a network to detect potential attacks as they are ongoing within the network. HIDS, or host intrusion detection systems run on individual systems and devices and only monitor the activity on the network going to and from that particular system.

In either case, IDS that discover a potential attack will notify the system administrators.

In contrast, IPS systems will play a similar role to IDS — and can be used in conjunction with them for greater network oversight — but will play a more active role in protecting the network. They will also notify administrates if attacks are detected, but they will also take punitive actions against any systems, individual accounts, or firewall loopholes to make sure that the attack is blocked and any associated files removed from the network.

As the names suggest, intrusion detection systems are designed to let you know if and when an attack occurs so that you can manually treat the issue. Intrusion prevention systems are designed to actively protect your system from attacks and to prevent future ones through adjusting network parameters.