IPS (intrusion-prevention system)

An intrusion-prevention system (IPS) is an inline security device that performs deep-packet inspection to identify and block malicious traffic. IPSs are considered an improvement over intrusion-detection systems (IDS), which are passive devices that simply identify an attack but take no action to block it.

IPSs are designed to respond in real time to attacks by dropping packets deemed malicious. IPSs are designed to block application-layer attacks, all the way up to Layer 7.

BlackICE from NetworkICE is considered the first commercial IPS. It was launched in 1998. NetworkICE was purchased in 2000 by Internet Security Systems, which is now part of IBM.

IPS devices protect networks in a variety of ways. First, IPSs look for signatures of known viruses and worms, and block that traffic when an attack is identified.

IPSs also have a rate-limiting feature that allows a network administrator to set a threshold of traffic that is allowed to pass at any one time. This technique thwarts distributed denial-of-service attacks, in which an attacker floods the network with otherwise legitimate traffic.

IPS devices also use behavior analysis to build a baseline of normal network activity and to raise alerts when abnormal behavior is occurring on the network. Most IPS devices offer all three types of protection.

Additional resources

Network IPS Buyer's Guide
Detailed specs on IPS products.

Network World Security Research Center.