Intrusion prevention and the firewall are part of Network Threat Protection. Network Threat Protection and Memory Exploit Mitigation are part of Network and Host Exploit Mitigation.

Intrusion prevention automatically detects and blocks network attacks. On Windows computers, intrusion prevention also detects and blocks browser attacks on supported browsers. Intrusion prevention is the second layer of defense after the firewall to protect client computers. Intrusion prevention is sometimes called the intrusion prevention system (IPS).

Intrusion prevention intercepts data at the network layer. It uses signatures to scan packets or streams of packets. It scans each packet individually by looking for the patterns that correspond to network attacks or browser attacks. Intrusion prevention detects attacks on operating system components and the application layer.

What is Intrusion Prevention System (IPS)?

An Intrusion Prevention System (IPS) is a security solution that provides security against unauthorized access and malicious activities at the network level. Unlike Intrusion Detection System that only monitors the network traffic, an Intrusion Prevention System also ensures protection against intrusions that takes place on the network. Main function of an Intrusion Prevention System is to analyze all the inbound and outbound network traffic for suspicious activities and perform appropriate actions instantaneously to prevent the intruders from entering into the internal network.

IPS offers proactive detection and prevention against unwanted network traffic by preventing it to reach to its intended victim. An IPS, when deployed correctly, immediately drops the detected unwanted or malicious data packets that may cause severe damage to the network and the resources that the network may have. An Intrusion Prevention System can be quite handy against various network security attacks such as brute force attacks, Denial of Service (DoS) attacks, vulnerability detection. Moreover, an IPS also ensures prevention against protocol exploits. Intrusion Prevention System is also known as active security solution as it does not just detect the potential security threats on the network, but it also takes immediate actions against it in order to prevent the current attack and the similar ones that the intruders may initiate in future.

The other functions that an Intrusion Prevention System can perform include:

• Blocks network traffic from the offending source IP addresses.
• Resets the TCP connection
• Corrects un-fragment packet streams
• Corrects Cyclic Redundancy Check (CRC) errors
• Checks TCP sequencing issues
• Sanitizes unsolicited transport and network layer options.

How Intrusion Prevention System Works?

An Intrusion Prevention System is considered to be a pretty secure solution as compared to Intrusion Detection System due to its proactive threat detection and prevention capabilities. An Intrusion Prevention System works in in-line mode. It contains a sensor that is located directly in the actual network traffic route, which deep inspects all the network traffic as the packets passes through it. The in-line mode allows the sensor to run in prevention mode where it performs real-time packet inspection. Because of this, any identified suspicious or malicious packets are dropped immediately.

An Intrusion Prevention System can perform any of the following actions as it detects any malicious activity in the network:

• Terminates the TCP session that is being exploited by an outsider for the attack. It blocks the offending user account or source IP address that attempts to access the target host, application, or other resources unethically.
• As soon as an IPS detects an intrusion event, it can also reconfigure or reprogram the firewall to prevent the similar attacks in future.
• IPS technologies are also smart enough to replace or remove the malicious contents of an attack. When used as a proxy, an IPS regulates the incoming requests. To perform this task, it repackages the payloads, and removes header information that incoming requests contain. It also has the capability to remove the infected attachments from an email before it is sent to its recipient in the internal network.