Intrusion Prevention System IPS vs Firewall

By Garry Hamilton

Learn the difference between IPS and firewall with our IPS vs firewall comparison. Intrusion Prevention System IPS is one of network security’s most crucial requirements today. The industry of network security can be considered as one of the most rapidly growing technologies among the different network technologies. We can observe this growth by the different types of network security defense methodologies and their related devices. So, in this IPS firewall comparison, we will discuss a very popular device among those devices. This is the Intrusion Prevention System IPS. As the name implies, a system is a more accurate name than a device!

What is a Prevention System IPS?

There are a lot of different definitions for the Intrusion Prevention System IPS technology. Among those different definitions, we like the one provided by PaloAlto networks, which defines the Intrusion Prevention System IPS as:

Intrusion Prevention System IPS is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits. Vulnerability exploits usually come in the form of malicious inputs to a target application or service that attackers use to interrupt and gain control of an application or machine. Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state), or can potentially access all the rights and permissions available to the compromised application.

Prevention System IPS Deployment

Prevention System IPS Deployment

As threats continue to evolve in speed and sophistication, network security departments need effective and comprehensive security systems that meet the security and performance requirements of their networks. And for us as workers in the network security field, the word network security immediately rings the bell of one technology - the Firewalls. This technology is considered the main building block of the security wall required to secure the network. Despite the fact that Firewalls, especially Next Generation Firewalls NGFWs, do have a decent list of features as we discussed before in our previous blog post - Next Generation Firewall - Why Do We Need It.

Intrusion Prevention Systems do have a different flavor than Firewalls. We will contrast the differences in this blog post.

How Does an Intrusion Prevention System Differ from a Firewall?

Firewalls (both traditional and Next Generation Firewalls NGFW) are considered the first line of defense against the different malicious attacks, doing the filtering based on different attributes of the traffic. Those attributes can be limited to information contained in the Layer 3 and 4 of the IP header and can be extended up to the information found at layer 7. Depending on the generation of the Firewall, it can even go beyond that to inspect the payload. But once the packet passed the firewall into the trusted network undetected, maybe riding on top of another legitimate protocol like HTTP, the malicious content inside that packet may get the freedom required to fulfill its malicious goals. Here comes the role of the Intrusion Prevention System IPS to add those extra features to the ones offered by Firewalls:

1. Signature-based detection: Intrusion Prevention System IPS does contain a large database with signatures for the different known attacks. Those signatures have been collected over the years using previously known attacks. The database is updated frequently to keep the signature database up to date as much as possible. Actually, the richer and the more frequently updated database can be an important indicator of the strength of the Intrusion Prevention System vendor.

2. Anomaly-based detection: unlike firewalls, which are static in their nature, Intrusion Prevention Systems can monitor the network in which they are deployed in. They can collect information about it to build a baseline for traffic considered as normal. This is called the Normal Behavior of the network. The information is collected considering both the types and the quantities of the different traffic in the network using complex mathematical statistics. After this Normal Behavior baseline is built and calculated (which may take hours or days, depending on the network size and activity), any change to this behavior may be considered as suspicious. Further investigations are triggered to discover any ongoing attacks if any.

Signature-Based Detection

Signature-Based Detection

3. Rule-based detection: Intrusion Prevention Systems can build very advanced and clever rules to detect different attacks and malicious traffic. They offer the network security engineers not only to use strict matches (yes or no logic) but also more versatile rules are allowed (maybe, probably logic). This flexibility offers the administrators to build very granular and robust rules to detect the different types of attacks, including Denial of Service and Distributed Denial of Service attacks.



4. Visibility: Intrusion Prevention Systems do have a deeper visibility inside the different payloads. With their wider protocol support, they can discover more attacks and malicious traffic, even when it is riding on top of different protocols.

Intrusion Prevention System IPS Visibility

Intrusion Prevention System IPS Visibility

If the above features didn’t catch your attention, let’s enhance the list with more features offered by Next Generation Intrusion Prevention Systems NGIPS.

Next Generation Intrusion Prevention System NGIPS Features

5. Contextual Awareness (NGIPS): offers a deep knowledge of the protected network in order to better evaluate different events and discover any potential attacks.

6. Content Awareness (NGIPS): offers the ability to identify the contents transported inside the payloads of the passing traffic, thus identifying the different types of files and file’s extensions.

7. Application and User Awareness (NGIPS): the ability to identify the different applications and associate them with the related users allows for a very granular control over the network. It facilitates very accurate decisions about the evaluation of a potential attack, and it even assures a faster, more accurate investigations during an attack.

8. Integration with Sandboxing analysis (NGIPS): gives the Next Generation Intrusion Prevention System the ability to execute malicious files and contents inside a simulation sandbox, thus allowing it to closely and accurately study and monitor its behavior before hitting the real hosts and computers to achieve 100% true malicious content detection.

Considering this really strong list of features, an important question should come to our minds. Since Intrusion Prevention System IPS can control traffic more accurately than Firewalls, should we place them in front of our Firewalls in order to get a better protection?
The answer is no. Intrusion Prevention System IPS applies more checks on the passing traffic. It places them directly in front of untrusted networks (like the internet) that can easily overwhelm the IPS system. This is why the best practice is to place the IPS (either physical appliance or virtual one) behind the firewall. Like this, you will handle the basic filtering. You will also assure that only legitimate traffic (at least appearing to be legitimate) passes to the Intrusion Prevention System for further investigation.

Cisco Intrusion Prevention System

Among the different Intrusion Prevention System options vendors and developers, Cisco is one of the leaders and a major player in this sector. With the leading breach detection capabilities, an amazing time to detection (Cisco has 4.6 hours estimated time to detection, unlike the industry standard of 100 hours!!), and a versatile portfolio, Cisco Intrusion Prevention System is the best on the market. Please visit Network Devices Inc. to explore the different Cisco IPS products. We would be happy to help you choose the right appliance which will provide the highest security levels for your business and keep the hands of hackers away from your precious data.

To get the best protection, check out our Cisco Firepower products.

You can count on 24/7 support, Free CCIE Support, consultancy, configuration, upgrading, network solutions for SMB and big projects. We will easily deliver any item you are looking for because of our $5-10M in-stock inventory and ship orders either same day or the next business day nationwide and worldwide.

Learn why buy Cisco from us and don't hesitate to contact us today for any information you may need.

Older Post Newer Post


Leave a comment

Please note, comments must be approved before they are published

Just added to your wishlist:
My Wishlist
You've just added this product to the cart: