Is inserted into a network segment so that the traffic that is monitoring must pass through the sensor?

The architecture of network intrusion prevention systems

At the heart of an intrusion prevention system deployment is one or more sensors. Each sensor is strategically positioned to monitor traffic for particular network segments. Organizations used to deploy a sensor for each network segment, but now a single sensor can monitor several network segments simultaneously. In order to monitor key network segments throughout an organization, IPS sensors are often deployed wherever networks with different security policies connect, such as Internet connection points, or where internal user networks connect to internal server networks.

IPS technologies in general are helpful in nearly every environment because they can detect and stop certain types of attacks that other security controls cannot.

In addition to hardware appliance sensors, some vendors also offer virtual appliance sensors. These have the same monitoring and analysis capabilities as hardware appliance sensors, but the virtual appliance is designed for deployment within a server that runs virtual machines (VMs) to monitor the virtual networks between those VMs. In such an architecture, a virtual appliance on the server is necessary because network traffic between VMs will not travel outside the server.

Another important aspect of IPS architecture is management. Network intrusion prevention system vendors typically offer a centralized management console that can be used to monitor configure, and maintain all of the IPS sensors, both hardware and virtual. Many organizations also choose to configure their IPS products so data from the IPS sensors is duplicated to security information and event management products or other enterprise security controls for further analysis, as well as incident handling use. This often eliminates the need to have a dedicated database or other means of providing long-term storage for IPS logs.

The biggest problem that IPS architectures face is the use of encryption to protect network traffic. This security practice protects the contents of network traffic so well that IPS sensors cannot do their analysis, and thus cannot detect attacks within the encrypted traffic. Organizations increasingly deploy IPS appliances to points on the network where traffic is unencrypted, such as just after a virtual private network server decrypts incoming traffic.

Typical environments for network intrusion prevention systems

Network intrusion prevention systems in general are helpful in nearly every environment because they can detect and stop certain types of attacks that other security controls cannot. For example, most IPSes can interpret and analyze hundreds, if not thousands, of application protocols; this enables them to detect application-based attacks in more than just email and Web traffic, which are the applications most frequently covered by other security controls.

However, the intrusion prevention products in scope for this article -- dedicated hardware and software -- are best suited for medium and large-sized organizations. This is due in part to the higher cost of dedicated IPS hardware and software when compared to other IPS forms, and to the increased performance and load splitting achievable through dedicated hardware and software.

The main reason for the low adoption of dedicated IPS hardware and software by small organizations is the availability of IPS modules for other enterprise security technologies such as next-generation firewalls (NGFWs). Using such modules generally involves lower acquisition and deployment costs because there is no need for additional hardware; long-term management and maintenance is also less expensive because the IPS is managed as part of the NGFW. A small organization with ample resources may certainly choose to use a dedicated IPS product for performance, redundancy or other reasons. Small organizations are also increasingly adopting cloud-based IPS services, which may take care of the IPS monitoring and management on behalf of the organization.

The costs of adopting, deploying and managing IPSes

Even though hardware appliance and virtual appliance intrusion prevention systems products have nearly identical capabilities, there are major differences in the costs of adopting and deploying them.

Adoption costs for a hardware appliance-based intrusion prevention product are often considerable. Most enterprises need numerous sensor appliances to monitor key spots on perimeter and internal networks, and each appliance may have a hefty price tag. Actual IPS deployment costs are not that large, but organizations may need to conduct network outages to physically insert IPS sensors into traffic flows and reconfigure the network infrastructure to use them.

Virtual appliances have significantly lowered adoption and deployment costs compared to hardware appliances. No hardware is required, so adoption and deployment costs are quite low -- all that is needed is software licenses and the installation of that software on the organization's servers that use virtualization technologies.

In terms of IPS management, although IPS technologies are designed to be as fully automated as possible, organizations can expect to devote considerable resources to customizing and tuning each IPS sensor. IPS technologies rely on a combination of detection techniques, and none of these techniques are foolproof. IPSes are notorious for producing false positives (benign activity is mistakenly identified by the IPS as malicious). This has improved markedly over the years, but it still happens, so IPS administrators must be vigilant in reviewing IPS alerts and tuning detection capabilities to minimize the number of false positives. This is particularly important if an organization is using the prevention capabilities of an IPS, because false positives cause benign traffic to be blocked.

Managing network intrusion prevention systems

The purpose of network intrusion prevention products is to identify and stop malicious activity within communications on an organization's networks. IPSes come in three forms, and this article focuses on one of those forms: IPS provided through dedicated hardware and software, either hardware appliances or virtual appliances. These two types of appliances perform nearly identical functions, but they differ significantly in terms of architecture and in the costs of adoption and deployment. Also, although intrusion prevention products can benefit nearly any organization, IPS provided through hardware or virtual appliances is most commonly used by medium and large-sized organizations. Smaller organizations tend to acquire IPS capabilities through modules in NGFWs or cloud-based IPS services.

Organizations considering the use of hardware appliance-based IPS products should carefully evaluate the likely costs of their acquisition, deployment and especially management. Although modern technologies from today's IPS vendors are as automated as possible, considerable effort is still required to monitor and investigate IPS alerts, tune IPS detection capabilities and ensure the IPS is looking for the latest threats. And the more effort the organization puts in to managing its IPS sensors, the more value the organization is going to get from them.