An IPS offers the ability to identify an intrusion, relevance, impact, direction and proper analysis of an event and then pass the appropriate information and commands to the firewalls, switches and other network devices to mitigate the event’s risk.
The key technical components of IPS include the marriage of global and local host controls, IDS, global and local security policy, risk management software and globally accessible consoles for managing IPS.
An IPS is the next security layer to be introduced that combines the protection of firewall with the monitoring ability of an IDS to protect our networ with the analysis necessary to make the proper decision on the fly.
IDS started the overall protection by first protecting host(HIDS), then network (NIDS). First and second generation IDS currently protects our network by identifying the threats. IDS provides real time alerts and reports. They cannot provide the necessary intelligence to notify all the network components downstream and upstream from the point of identification. This is where the IPS becomes the part of overall layered approach to security. IPS gathers all network information and make determination of the threat, then notify all other devices of those findings. Upstream providers can notify the downstream customers of possible attacks before or during the events as that malicious attempts arrives and vice versa.
Although IPS are actually the next generaton IDS, there will always be a need to keep those seperate technologies. Security devices must remain seperate to allow depth in overall protection; thus , firewall will need IDS and the network will need IPS. Each techology is bound to each other with the dependencies that will not disappear.
IPS has all the features of a good IDS, but can also stop malacious traffic from invading the enterprise. Unlike an IDS, an IPS sits inline with traffic flow on a network, actively shutting down attempted attacks as they are sent over the wire. It can stop the attack by terminating the network connection or user session originating the attack, by blocking access to traget from the user account, IP address or other attributes assocaited with that attacker, or by blocking all access to the targetted host, services, or application.