As the online world matures, more actors have a better understanding of how the environment works. And while this can lead to positive developments and beneficial strategic breakthroughs, there’s also a criminal side to the internet that constantly creates threats and disruptions for those trying to carry on with their legitimate day-to-day business. Security provisions such as firewalls and intrusion prevention systems are used to protect against these kinds of breaches. If you already have a firewall in place (and most will,) where should you implement intrusion prevention systems in your IT infrastructure?
The intrusion prevention system is a security system that monitors network traffic and prevents malicious attacks from getting through. The intrusion prevention system will block access points to malicious attacks and help reconfigure the firewall to prevent future intrusions. The intrusion prevention system also creates reports about malicious incidents that provide administrators with a better understanding of the traffic that is arriving into their network. This can lead to the development of policies and best practices to minimize the risk of future incidents.
It’s generally accepted that intrusion prevention systems should be implemented at the edge of the network directly behind the firewall and in front of the server(s.) This enables the firewall to perform its duties and block or filter out the majority of malicious traffic. Where a firewall inspects traffic according to its IP address and port numbers, the intrusion prevention system analyzes traffic and looks for patterns or signatures that denote an attack. The intrusion prevention system, therefore, works best behind the firewall as it allows the firewall to filter the incoming data first. This means there will be less traffic for the intrusion prevention system to analyze and reduces the probability of an overall traffic slowdown.
The intrusion prevention system will identify and block malicious threats such as Denial of Service attacks, Distributed Denial of Service attacks, worms, viruses, and other types of network exploitations. Intrusion prevention systems inspect inbound packets in real-time. Once a malicious packet is identified the intrusion prevention system can terminate the transmission control protocol (TCP) session, reconfigure the firewall and remove the malicious content.
Intrusion prevention systems can be programmed to specifically understand your network and the kinds of traffic you’re likely to get. However, it’s important to run the intrusion prevention system in its default mode, to begin with. This will allow you to understand how it reacts to the traffic you’re already getting and provide you with a guideline to work from. You can then adjust the system to block traffic according to the risk it poses. You want to find the right balance between blocking malicious traffic and minimizing the number of false positives the intrusion prevention system creates.
It’s very likely that you don’t want your intrusion prevention system from monitoring all the traffic that your network encounters. That might result in too much traffic being blocked, slower systems, and a pile of reports that require action. As the traffic on your network changes, you will need to tune and optimize your intrusion prevention system to ensure it continues to detect and block malicious traffic while still allowing the smooth functioning of your network.
To find out more about how intrusion protection can keep your business secure, get a free assessment today.