What is an intrusion detection and prevention system (IDPS)?

An intrusion detection and prevention system (IDPS) is a solution that monitors a network for threats and then takes action to stop any threats that are detected.

An IDPS is closely related to an intrusion detection system (IDS). While both systems detect threats and send alerts about them, an IDPS also attempts to remediate those threats.

An IDPS is sometimes called an intrusion prevention system (IPS). The terms IDPS and IPS are mostly used interchangeably, but when someone mentions an IPS they are often referring to the threat hunting function of an IDPS.

An IDPS works in several different ways depending on the vendor, the chosen deployment method, and the needs of the organization deploying it.

Types of IDPS

Network-based IDPS

Network-based IDPS (NIPS) is a type of IDPS installed at specific points within a network to monitor all of that network’s traffic and scan for threats. The NIPS often does this by analyzing activity and matching it against a database of known attacks configured manually by a security expert. If the activity matches a known threat in the database, it isn’t allowed to proceed through the network. A NIPS is often deployed at the boundaries of networks, such as in routers or modems, behind firewalls, and at network remote access points.

There are 2 subcategories of NIPS:

• Wireless intrusion prevention systems (WIPS) monitor wireless networks for the presence of rouge access points and unrecognized devices by analyzing the network's radio frequencies. WIPS are deployed in wireless networks and in places that are vulnerable to unauthorized wireless access.
• Network behavior analysis (NBA) systems check network traffic for unusual patterns of activity. For example, in a distributed denial of service attack (DDOS), thousands of requests are sent to the network to overwhelm it. Any of these requests alone might look valid, but together illustrate a problem. NBA systems often reinforce a more standard NIPS in an organization’s internal networks.

Host-based IDPS

Host-based IDPS (HIPS) are deployed on a single host—often a key server with critical data—or public servers that are gateways to an organization’s internal network. A HIPS specifically monitors traffic flow on its host system. HIPS are generally set to detect host operating system activity and internet protocol suite (TCP/IP) activity.

Detection methods

Once in place, an IDPS uses a variety of techniques to identify threats. Theses techniques broadly fall into 3 categories:

• Signature-based threat detection matches monitored activity to a database filled with signatures—a unique pattern or identifier—of previously identified threats. While this method is good at detecting well-known threats, novel threats will go undetected.
• Anomaly-based threat detection matches a random selection of network activity against a baseline standard of network activity. If the random selection is different enough from the baseline, then the threat triggers action. While this detection method captures novel threats, it also creates more false positives than signature-based threat detection. Anomaly-based threat detection is the aspect of IDPS that is most enhanced by advancements in artificial intelligence and machine learning algorithms.
• Protocol-based (or policy-based) threat detection is similar to signature-based threat detection, but it uses a database of specific protocols defined by the organization and blocks any activity violates those protocols. The protocols must be manually configured by a security expert.

Prevention actions

Once the IDPS detects a perceived threat, it can take several courses of action—depending on how it’s set up and the type of threat detected. Common preventative actions against attacks are to:

• Alert administrators. In this most basic type of response, the IDPS alerts human security administrators, much like an intrusion detection system would. Alerts like this are created when an automatic action might not be appropriate, or when the system is unsure if there is a false positive.
• Employ banishment vigilance. When the IDPS takes this action, it stops incidents before they have a chance to occur by blocking traffic or flagged users from a threatening IP address. A common example is blocking an IP address that has failed a password check too many times.
• Change the security environment. Similar to banishment vigilance, this technique has the IDPS change the security setup of the network to prevent the threat from gaining access. An example of this response would be reconfiguring a firewall.
• Modify the attack content. This technique involves automatically altering the content of the attack. For example, if a suspicious email is flagged, the IDPS would remove any aspect of the email that might contain content malicious to the network, such as email attachments.

An IDPS can be a useful tool for both your enterprise security teams and the wider organization. An IDPS can help you:

• Scan activity and respond to threats without human intervention. Although complex threats often require human intervention, an IDPS enables methodical and rapid response to simpler threats, and it can flag complex threats for human intervention more rapidly. As a result, security teams can respond to threats before they do damage, and they are able to handle increasing numbers of threats.
• Find threats that might slip through. An IDPS—especially if it’s using anomaly-based detection—can flag threats that human security experts might miss.
• Enforce user and security policies continuously. The rule-based nature of an IDPS means that threat detection is applied in a consistent way.
• Meet compliance requirements. The use of an IDPS means that fewer humans have to interact with private data—which is a regulatory requirement in many industries.

Red Hat® Ansible® Automation Platform uses playbooks, local directory services, consolidated logs, and external apps to automate security solutions and empower IT security teams to respond to threats in a coordinated, unified way.

Security teams can use Ansible Automation Platform to orchestrate several different enterprise security solutions—including enterprise firewalls, security information and events management (SIEM) systems, IDPS, and privileged access management (PAM) solutions—and connect these disparate tools into a unified security apparatus.

Why use Ansible Automation Platform with an IDS or IDPS?

Ansible Automation Platform helps organizations automate their security solutions, acting as a central hub for integrating various security technologies. Using Ansible Playbooks, it allows outputs from one security tool to be automatically read by another. Multiple security tools talking to each other is a core component in threat hunting—a central function of an IDPS. With Ansible Automation Platform, your organization can:

• Deploy new IDPS rules in a dynamic and flexible way, followed by automated configuration between the new IDPS rule and its attendant SIEM.
• Facilitate signature management, allowing automatic updates to be integrated with an IDPS using signatures sourced from security bulletins.
• Correlate searches and event automation within SIEM systems. This enables analysts to generate new alerts based on actions or changes executed on other security devices.

Ansible Automation Platform can connect security solutions to the rest of your organization’s infrastructure and network. This means that different security solutions can be automated and integrated to respond to threats across your enterprise in a coordinated, unified way—using a curated collection of modules, roles, and playbooks.

Your teams can also take advantage of trusted certified content collections, which are certified by Red Hat and our partners. With access to hundreds of modules that help users automate all aspects of IT environments and management processes, Ansible Automation Platform can help your security teams work collaboratively to better protect complex security perimeters.