What is IPS?
An intrusion prevention system (IPS) is a security appliance that monitors and evaluates a system for signs of attacks in progress, and can actively block traffic that it determines is malicious.
IPSs are similar in purpose to firewalls in that both can stop unwanted traffic from entering a network. However, they have some key differences.
Here is my post about a basic layout of firewalls if you haven't seen it yet:
A firewall is like a security guard who lets guests into a building based on whether or not they match predefined rules. An IPS is more like a second security guard inside a building. Even if the outside guard (the firewall) lets someone in, the inside guard (the IPS) will watch that guest for signs of suspicious behaviour. If the guest exhibits a repeated pattern of suspicious behaviour, the inside guard will kick them out.
In other words, an IPS is a second layer of defence that monitors traffic that makes it past the firewall, looking for signs of anomalous behaviour.
The other major difference is that IPSs are only concerned with managing incoming traffic, whereas firewalls apply to both incoming and outgoing traffic.
There are many IPS solutions available. Two common third-party solutions are DenyHosts and Fail2ban, both of which examine log files for anomalies.
Note: An intrusion detection system (IDS) is the same as an IPS except it does not actively block traffic, but only alerts personnel.
Comments
Post a Comment