An intrusion prevention system (IPS) is a security control that inspects network traffic in real time and actively blocks anything that matches a detection rule. An IPS combines the detection capability of an IDS with an inline enforcement point so that suspicious or known-malicious packets are dropped before they reach the protected systems.
IPS versus IDS
An IDS is passive: it sees a copy of traffic and raises alerts but cannot stop anything. An IPS is inline: traffic passes through it, and it can drop, reset, or quarantine flows. The trade-off is risk versus latency. An IPS can disrupt legitimate traffic if a rule is too aggressive; it also adds processing latency. Many enterprises deploy an IPS in detect-only mode initially, then enable blocking rule-by-rule once false positives are understood.
Deployment modes
Network IPS sits at the perimeter or between trust zones and inspects all traffic crossing the boundary. Common products include Palo Alto, Cisco Firepower, and Fortinet, plus open-source Suricata in inline mode.
Host IPS runs on individual systems (often as part of an EDR agent) and can block process behaviour, file changes, and outbound network connections.
Wireless IPS monitors radio frequency activity and can take action against rogue access points, deauthentication attacks, and other Layer 2 wireless threats.
Detection methods
Like IDS, an IPS uses a combination of signature, anomaly, and behavioural detection. Modern systems also integrate threat intelligence feeds so that newly observed indicators (IPs, domains, hashes) are blocked automatically. Encrypted traffic is a recurring challenge: an IPS that cannot decrypt TLS sees only metadata and is far less effective.
Operational considerations
Aggressive blocking on a poorly tuned IPS causes outages and erodes trust. Best practice is to enable blocking gradually, monitor for false positives, document exceptions, and pair IPS with monitoring so that decisions can be reviewed. Performance sizing also matters; an undersized IPS becomes a bottleneck during traffic spikes.
Related terms
See also: intrusion detection system (IDS), firewall, and port scanning.
Leave a Reply