Network threats can be complicated. An IPS can help monitor and protect networks against unauthorized access, malware, exploits, etc. Unlike IDS, an IPS takes action to prevent threats, which can lighten workloads for security teams and security operations centers (SOCs). IPSs can be appliance-based or cloud-native. They may also be network-based or host-based.
Phishing
Attackers use phishing to trick people into unknowingly providing sensitive information such as passwords and credit card numbers. This information can be used to commit various cyber crimes, including unauthorized access, malware infection, and financial fraud. A phishing attack can occur through email, SMS, voice, or other electronic communication channels. It can also be delivered via a man-in-the-middle, where the attacker intercepts communications between two sources to steal their data. ML models can detect phishing attacks by examining domain information and SSL certificates to identify discrepancies and abnormalities. For example, a recently registered domain or the use of a free email service for a supposedly official message can be red flags. By deploying an IPS that monitors packets throughout your network, you can be alerted to malicious activity before it can steal information or infect systems. Implementing two-factor authentication on all accounts that allow it is also essential. This will help to prevent a successful attack if the attacker does obtain login credentials.
Malware
It’s essential to understand what attacks are detected by an IPS. An IPS is designed to identify and thwart a wide range of threats, such as malware, using signature-based detection, which looks for the unique patterns of known threats. Then, it can flag and block the underlying malicious behavior, such as ping attacks (which bombard a target with oversized or malformed datagrams) or man-in-the-middle exploits (where a hacker intercepts network traffic between two users). Anomaly-based detection works by creating a typical network activity standard and monitoring all activity against it in real time. This method can help identify brand-new cyberattacks that might evade signature-based detection and catch zero-day exploits—attacks designed to take advantage of software vulnerabilities before the vendor has had an opportunity to patch them. This type of detection can be prone to false positives, though, so it needs to be paired with a firm security policy to reduce the number of benign activities logged as potential threats. Once a threat is detected, an IPS can log the event, notify a pager or console, and update router, firewall, and server policies to prevent it from recurring.
Denial of Service
Denial of service attacks can saturate servers or networks with massive traffic, overwhelming the system and making it unreachable to legitimate users. They exploit security vulnerabilities in hardware, software, or network protocols. Attackers use these vulnerabilities to infiltrate systems and access sensitive data. While the system vendor can identify and fix these vulnerabilities, attackers can exploit them before that happens.
Protocol layer attacks focus on the target server’s bandwidth, processing power, and memory by sending large data packets. They may also saturate the target’s router bandwidth or cause service disruptions.
IPSs detect these attacks by scanning network traffic for attack signatures–unique characteristics or behaviors associated with particular cyberattacks. If a signature matches, the IPS takes action. This might include logging the event, sending a notification to a pager or console, blocking the attacker’s IP address, or redirecting the attack to a honeypot.
DDoS
Many attacks target network infrastructure to overwhelm traffic and make services unavailable. These attacks are usually volumetric, leveraging techniques such as UDP floods, SYN floods, ICMP amplification attacks, or reflection attacks using protocols like NTP, Memcached, and DNS to amplify the volume of data or traffic sent to a target site or service. Other common attacks focus on the application layer to saturate finite resources. These attacks can cause server-running software to use up all disk space, occupy the maximum number of open connections, or fill up memory and CPU time. A sophisticated attack can do more than just slow or stop your service — it can deny you the ability to fix the problem by sabotaging equipment, over-writing firmware, or subtly changing a process (as with Stuxnet, which caused physical damage to industrial centrifuges at Saudi Aramco). Behavioral DDoS protection on BIG-IP provides automatic detection and mitigation of these attacks.
Exploits
As its name implies, an IPS is designed to detect and prevent network attacks. By residing inline and directly in the path of traffic flows, it can quickly scan and analyze incoming data for malicious activity such as Trojan horses, worms, DDoS attacks, viruses, and even zero-day exploits. When a threat is detected, the IPS can respond in several ways, including alerting security teams, logging the activity, and triggering other infrastructure devices like routers, firewalls, and servers to change policies and block threats. An IPS can be classified as signature-based, anomaly-based, or policy-based, depending on the detection method. Signature-based solutions use a database of known attack signatures that compare against incoming data to locate threats. However, brand-new or zero-day attacks may evade the system since they need an existing signature. An IPS can also detect and stop these types of threats by analyzing a sequence of packets.
Anomalies
IDS and IPS devices identify threats by looking for patterns of activity that indicate an attack is underway. These patterns are known as signatures. An alarm is generated if a signature is detected in monitored traffic or the IPS device blocks the affected traffic. Anomaly detection mechanisms are more lenient than signature-based systems. As a result, they may detect traffic that an attacker isn’t trying to hide or has a lower probability of being an actual threat. When you enable anomaly detection, you also configure scanner thresholds and histograms to define what normal behavior in the network looks like. You can do this in the Anomaly Detection Policy dialog box. To configure these settings, click each zone where you want to change them: Internal Zone, Illegal Zone, or External Zone. Each zone has sub-tabs where you can configure scanner thresholds and histograms for TCP Protocol, UDP Protocol, or Other Protocols.