Intrusion prevention systems (IPS), as the name suggests, go one step further than intrusion detection systems: once they have identified a potential attack, they not only notify the administrator, but immediately initiate appropriate countermeasures. In this way, they avoid the excessively long time between detecting and getting rid of an intruder, which can be the case with IDS programs. With respect to the analytical methods being used, however, there is in principle no difference between the two network protection mechanisms. Today’s IPS, like a IDS, relies on host-based and network-based sensors in order to register and analyze system data and network packets.
An intrusion prevention system should, as a rule, be configured very specifically in order to prevent any ordinary user action from being classed as dangerous and being blocked due to anomaly detection. By being individually configured, it means you can implement both intrusion prevention systems as well as intrusion detection systems with many programs. In principle, you can choose between active blocking and pure monitoring, such as the aforementioned open source applications, Snort and Suricata. Therefore, a system combining both approaches, or the use of two separate systems is possible. For the latter variant, filtering and blocking can, therefore, be split between different hardware environments.
The range of IPS software that are used can vary greatly, just like this example of the two free programs, DenyHosts and Snort, shows.