← Home

Intrusion Prevention Systems

An Intrusion Prevention System (IPS) is a security device or software solution that monitors network traffic in real time, detects malicious activity, and automatically takes action to stop threats before they can impact the network.

Unlike an IDS, which generates alerts, an IPS sits inline with network traffic, allowing it to actively prevent attacks.

An IPS is a key component of a Defence-in-Depth strategy, complementing firewalls, access control, and intrusion detection systems.

Intrusion Prevention Systems
Figure – Intrusion Prevention Systems monitor network traffic inline and automatically block detected threats.

Purpose of an IPS

An IPS continuously monitors network communications to:

Responses may include:


How an IPS Works

Monitor

Inspects all network traffic passing through the device.

Analyze

Compares traffic against signatures, rules, and behavioural models.

Detect

Identifies malicious or suspicious activity.

Prevent

Automatically blocks or mitigates the detected threat before it reaches the target.


Detection Techniques

Signature-Based Detection

Identifies attacks by comparing traffic to a database of known attack signatures.

Advantages

Limitations


Behaviour-Based (Anomaly-Based) Detection

Learns normal network and device behaviour over time and identifies deviations from the established baseline.

Advantages

Limitations


IPS in Industrial Control Systems (ICS)

Industrial Control Systems have unique operational requirements that make IPS deployment more challenging than in traditional IT environments.

Why IPS is Used Cautiously

Because an IPS actively blocks traffic, an incorrect decision may:

For this reason, IPS devices are generally not deployed inside critical IACS control zones, where uninterrupted communications are essential.

Instead, IPS is more commonly deployed at:

Emerging Behaviour-Based IPS

As cyber threats become more sophisticated, traditional signature-based protection is no longer sufficient.

Modern IPS solutions increasingly use:

These systems establish what is "normal" for an industrial environment and identify unusual communications that may indicate cyberattacks.

Although highly effective, they should be deployed cautiously within lower-level industrial networks due to the potential for false positives.


IDS vs IPS

Feature IDS IPS
Deployment Passive (out-of-band) Inline
Primary Function Detects threats Detects and blocks threats
Blocks Traffic No Yes
Generates Alerts Yes Yes
Network Impact Minimal May introduce latency
False Positive Risk Alert fatigue Potential disruption of operations
Best Use Monitoring and visibility Active prevention

IPS Best Practices

1. Use Distributed Deployment

Deploy IPS solutions at:

Avoid placing IPS directly within critical control networks unless thoroughly validated.

2. Use ICS-Specific Detection Rules

Traditional IT signatures often miss industrial attacks.

Use solutions that include:

3. Support Industrial Protocols

Choose IPS solutions that understand industrial communications, including protocols such as:

Protocol awareness improves detection accuracy while reducing false positives.

4. Deploy with Caution

Before enabling automatic blocking:

A phased deployment—starting in monitor-only mode before enabling prevention—is considered best practice.


Benefits of IPS


Challenges and Limitations

False Positives

Operational Risk

Performance Overhead

Ongoing Maintenance


Key Takeaways