Intrusion prevention systems, also known as IPSs, offer ongoing protection for the data and IT resources of your company. These security systems work within the organization and make up for blind spots in the traditional security measures that are implemented by firewalls and antivirus systems.
Protecting the boundary of your network will prevent a large number of hacker attacks. The installation of firewalls and antivirus is still important. These protection measures have become very effective at preventing malicious code from getting onto a network. However, they have been so successful that hackers have found other ways to get access to a company’s computing infrastructure.
Here is our list of the best IPS tools:
- SolarWinds Security Event Manager EDITOR’S CHOICE This powerful security tool uses both network-based and host-based intrusion detection methods and takes preventative action. Pre-installed presets will get you up and running in no time. Installs on Windows Server or via cloud. Start a 30-day free trial.
- Datadog Real-time Threat Monitoring (FREE TRIAL) An add-on to a cloud-based network monitor that performs threat detection while monitoring network traffic and device statuses. Start a 14-day free trial.
- CrowdStrike Falcon XDR (FREE TRIAL) This security package offers threat detection and automated responses. This is a cloud-based system with device-based agents. Start a 15-day free trial.
- Splunk Widely-used network analysis tools that has intrusion prevention features. Available for Windows, Linux, and in the Cloud.
- Sagan Free intrusion prevention system that mines log files for event data. Installs on Unix, Linux, and Mac OS, but can gather log messages from windows systems.
- OSSEC The Open Source HIDS Security is highly respected and free to use. Runs on Windows, Linux, Mac OS, and Unix, but doesn’t include a user interface.
- Open WIPS-NG Open-source command-line utility for Linux that detects intrusion on wireless networks.
- Fail2Ban Free lightweight IPS that runs on the command line and is available for Linux, Unix, and Mac OS.
- Zeek Network-based intrusion detection system that operates on live traffic data. This tool installs on Linux, Unix, and Mac OS and is free to use.
Any system is only as strong as its weakest link. In most IT security strategies, the weakness lies with the human element of the system. You can enforce user authentication with strong passwords, but if users write passwords down and keep the note close to a device that has network access, you might as well not bother enforcing user authentication.
There are many ways that hackers can target employees of a company and trick them into disclosing their login details.
Phishing has become common. Everyone has learned to become wary of warning emails from banks or trading platforms such as eBay, PayPal, or Amazon. A phishing campaign involves a fake Web page from an online service. The hacker sends out emails en masse to all emails on a list bought on the internet. It doesn’t matter whether all of those email addresses belong to customers of the mimicked service. As long as some of the people being reached have accounts with the tricked website, then the hacker stands a chance.
In phishing attempts, the victim is presented with a link within an email that leads to a fake login page that looks like the usual entry screen of the mimicked service. When the victim tries to log in, that username and password go into the hacker’s database and the account is compromised without the user realizing what has happened.
Hackers target company employees with phishing scams. They also practice spear phishing, which is a little more sophisticated than phishing. With spear phishing, the fake email and login page will be specifically designed to be like the site of the company being hacked and the emails will be directed specifically at the employees of the company. Spear phishing attempts are often used as phase one of a break-in attempt. The initial pass of a hack is to learn details about some of the employees of a company.
The information gathered in the spear phishing phase can be blended together with research into individuals by examining their social media pages, or combing through their career details. This targeted research is called doxxing. With the information gleaned, a targeted hacker can build up profiles of key players in a business and map the relationships of those people to other company personnel.
The doxxer will aim to get enough information in order to successfully mimic one employee. With this identity, he can gain the trust of others in the targeted company. By these tricks, the hacker can get to know the movements of the company’s accounting staff, its executives, and its IT support staff.
Once the hacker has earned the trust of various staff members, he can trick login details out of anyone in the business. With a lot of confidence and the knowledge of the way people work together in a business, a con artist can even steal large amounts of money from a company without even having to log into the system; orders for bogus transfers can be given over the phone. This targeting of key personnel in a business is called whaling.
Hackers have learned to use phishing, spear phishing, doxxing, and whaling to get around firewalls and antivirus software. If a hacker has the admin password, he can install software, set up user accounts, and remove security processes and get access to the entire network, its equipment, servers, databases, and applications unhindered.
These new attack strategies have become so common that company network security administrators need to plan defenses that assume that the systems boundary security measures have been compromised.
In recent years, the advanced persistent threat (APT) has become a common strategy for hackers. In this scenario, a hacker can spend years with access to a company network, accessing data at will, using company resources to run covering VPNs through the company’s gateway. The hacker can even use the company’s servers for intensive activities such as cryptocurrency mining.
or laterAPTs go undetected because the hacker is in the system as an authorized user and he also makes sure to delete any log records that show his malicious activity. These measures mean that even when the intrusion is detected, it can still be impossible to trace and prosecute the intruder.
Intrusion detection systems
An essential element of intrusion prevention systems is the Intrusion Detection System (IDS). An IDS is designed to look for unusual activity. Some detection methodologies mimic the strategies employed by firewalls and antivirus software. These are called signature-based detection methods. They look for patterns in data to spot known indicators of intruder activity.
A second IDS method is called anomaly-based detection. In this strategy, the monitoring software looks for unusual activities that either don’t fit the logical pattern of user or software behavior or that don’t make sense when examined in the context of the expected duties of a particular user. For example, you wouldn’t expect to see a user in the Personnel Department logged in as altering the configuration of a network device.
An intruder does not necessarily need to be an outsider. You can get intrusion into areas of your network by employees exploring beyond the facilities to which they are expected to need access. Another problem lies with employees who exploit their authorized access to data and facilities in order to destroy or steal them.
Intrusion prevention systems work to the maxim “better late than never.” Ideally, you wouldn’t want any outsiders getting unauthorized access to your system. However, as explained above, this is not a perfect world and there are many cons that hackers can pull to trick authorized users into giving away their credentials.
Specifically, intrusion prevention systems are extensions to intrusion detection systems. IPSs act once suspicious activity has been identified. So, there may already have been some damage done to the integrity of your system by the time the intrusion has been spotted.
The IPS is able to perform actions to shut down the threat. These actions include:
- Restoring log files from storage
- Suspending user accounts
- Blocking IP addresses
- Killing processes
- Shutting down systems
- Starting up processes
- Updating firewall settings
- Alerting, recording, and reporting suspicious activities
The responsibility of admin tasks that make many of these actions possible is not always clear. For example, the protection of log files with encryption and the backing up of log files so that they can be restored after tampering are two threat protection activities that are usually defined as intrusion detection system tasks.
Limitations of intrusion prevention systems
There are many potential points of weakness in any IT system, but an IPS, although very effective at blocking intruders, is not designed to close down all potential threats. For example, a typical IPS does not include software patch management or configuration control for network devices. The IPS won’t manage user access policies or prevent employees from copying corporate documents.
IDSs and IPSs offer threat remediation only once an intruder has already begun activities on a network. However, these systems should be installed to provide an element in a series of network security measures to protect information and resources.
The best Intrusion Prevention Systems
There is a remarkably large number of IPS tools available at the moment. Many of these are free. However, it would take you a long time to study and try every single IPS on the market. This is why we have put together this guide to intrusion prevention systems.
What should you look for in an IPS tool? We reviewed the IPS market and analyzed tools based on the following criteria:
- Procedures to detect email-bound cons, such as phishing
- Automated attack mitigation steps
- The ability to interface with other IT security systems
- Settings to let the user allow automated response
- Data storage for historical analysis plus analytical tools in the dashboard
- Attack protection for the IPS’s own processes and logs
- A free, demo, trial, or money-back guarantee
- Value for money
The SolarWinds Security Event Manager controls access to log files, as the name suggests. However, the tool also has network monitoring capabilities. The software package doesn’t include a network monitoring facility, but you can add this capability by using the free tool, Snort for network data gathering. This setup gives you two perspectives on intrusion. There are two categories of detection strategies used by IDSs: network-based and host-based.
A host-based intrusion detection system examines the records contained in log files; the network-based system detects events in live data.
The instructions to detect signs of intrusion are included with the SolarWinds software package – these are called event correlation rules. You can choose to leave the system to just detect intrusion and block threats manually. You can also activate the IPS functions of the SolarWinds Security Event Manager to get threat remediation performed automatically.
The IPS section of the SolarWinds Security Event Manager implements actions when threats are detected. These workflows are called Active Responses. A response can be linked to a specific alert. For example, the tool can write to firewall tables to block network access to an IP address that has been identified as performing suspicious acts on the network. You can also suspend user accounts, stop or start processes, and shut down hardware or the entire system.
The SolarWinds Security Event Manager can only be installed on Windows Server. However, its data sources are not limited to Windows logs – it can also gather threat information from Unix and Linux systems connected to host Windows systems over the network. You can get a 30-day free trial of the SolarWinds Security Event Manager to test it for yourself.
SolarWinds Security Event Manager comes with hundreds of correlation rules on install that alert you to any suspicious behaviors in real-time. It’s fairly easy to set up new rules with thanks to the normalization of log data. We particularly like the new dashboard that gives you a front-row-seat when it comes to identifying potential network vulnerabilities.
Start 30-day Free Trial: solarwinds.com/security-event-manager
OS: Windows 10, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure
Datadog’s Real-time Threat Monitoring is part of its network monitoring system which includes a built-in threat detection platform. Datadog is a cloud-based service that is delivered in modules to cover network and device monitoring, applications monitoring, and web performance monitoring.
The security features of the network traffic monitor are based on Threat Detection Rules. These are supplied, but it is possible to create new rules. They establish a pattern of traffic that the system looks out for and if one of the combinations of events that a rule describes gets spotted, the service triggers an alert. The service also includes Security Rules, which are similar to Threat Detection Rules but they specify searches in several different data sources.
The Security Monitoring service is an add-on to the standard Infrastructure Monitoring or Network Performance Monitoring modules of Datadog and it is priced per GB of analyzed data. Datadog offers a 14-day free trial of the Security Monitoring service.
CrowdStrike Falcon XDR is an endpoint detection and response system with added interaction with third-party security tools. The system uses security orchestration, automation, and response (SOAR) to improve both threat hunting and threat mitigation.
CrowdStrike Falcon is a cloud platform of security modules and the XDR builds on a couple of other products on the SaaS system. The first of these is an endpoint protection system called CrowdStrike Falcon Prevent – a next-generation anti-virus. The Prevent tool installs on each endpoint. There are versions of this system for Windows, macOS, and Linux. This system is able to continue protecting endpoints even when the network is down.
The next layer up in the XDR solution is Falcon Insight. This is an endpoint detection and response (EDR) system that coordinates the activity of each Falcon Prevent installation in the enterprise. This gives a system-wide view and creates a private threat intelligence network. The cloud module of Falcon Insight receives activity data from each Falcon Prevent instance, pools these feeds, and scans through for indicators of compromise (IoCs). If a threat is detected, Insight sends back remediation instructions to the Prevent units.
Falcon XDR adds on SOAR, which means that it can collect event data from third-party tools and unprotected devices, such as switches and routers that don’t have a Falcon Prevent service available. The system is also able to send instructions to non-Falcon products, such as firewalls.Start a 15-day free trial.
Splunk is a network traffic analyzer that has intrusion detection and IPS capabilities. There are four editions of Splunk:
- Splunk Free
- Splunk Light (30-day free trial)
- Splunk Enterprise (60-day free trial)
- Splunk Cloud (15-day free trial)
All versions, except for Splunk Cloud run on Windows and Linux. Splunk Cloud is available on a Software-as-a-Service (SaaS) basis over the internet. Splunk’s IPS functions are only included in the Enterprise and Cloud editions. The detection system operates both on network traffic and on log files. The detection method searches for anomalies, which are patterns of unexpected behavior.
A higher level of security can be gained by opting for the Splunk Enterprise Security add-on. This is available on a seven-day free trial. This module enhances the anomaly detection rules with AI and includes more executable actions for intrusion remediation.
Sagan is a free intrusion detection software system that has script execution capabilities. The facility to connect actions to alerts makes this an IPS. The main detection methods of Sagan involve the monitoring of log files, which means that this is a host-based intrusion detection system. If you also install Snort and feed output from that packet sniffer into Sagan, you will also get network-based detection facilities from this tool. Alternatively, you can feed network data gathered with Zeek (formerly Bro) or Suricata into the tool. Sagan can also exchange data with other Snort-compatible tools, including Snorby, Squil, Anaval, and BASE.
Sagan installs on Unix, Linux, and Mac OS. However, it is also able to pick up event messages from connected Windows systems. Extra features include IP address location tracing and distributed processing.
OSSEC is a very popular IPS system. Its detection methodologies are based on examining log files, which makes it a host-based intrusion detection system. The name of this tool stands for ‘Open Source HIDS Security’ (despite the lack of an ‘H’ there).
The fact that this is an open-source project is great because it also means that the software is free to use. Despite being open-source, OSSEC is actually owned by a company: Trend Micro. The downside of using free software is that you don’t get support. The tool is widely used and the OSSEC user community is a great place to get tips and tricks on using the system. However, if you don’t want to risk relying on amateur advice for your company software, you can buy a professional support package from Trend Micro.
The detection rules of OSSEC are called ‘policies.’ You can write your own monitoring policies or get packs of them for free from the user community. It is also possible to specify actions that should be implemented automatically when specific warnings arise.
OSSEC runs on Unix, Linux, Mac OS, and Windows. There is no front end for this tool, but you can interface it with Kibana or Graylog. Visit their downloads page.
See also: The Best HIDS Tools
If you specifically need an IPS for wireless systems, you should give Open WIPS-NG a try. This is a free tool that will detect intrusion and allow you to set up automatic responses.
Open WIPS-NG is an open source project. The software can only be run on Linux. The key element of the tool is a wireless packet sniffer. The sniffer element is a sensor module, which works both as a data gatherer and a transmitter of solutions to block intrusion. This is a very competent tool because it was designed by the same people that wrote Aircrack-NG, which is well-known as a hacker tool.
Other elements of the tool are a server program, which runs the detection rules, and an interface. You can see wifi network information and potential problems on the dashboard. You can also set actions to kick in automatically when an intrusion is detected.
Fail2Ban is a lightweight IPS option. This free tool detects intrusion by host-based methods, which means that it examines log files for signs of unauthorized activities. Among the automated responses that the tool can implement is an IP address ban. These bans usually only last a few minutes, but you can adjust the blocking period in the utility’s dashboard. The detection rules are called ‘filters’ and you can associate a remediation action with each of them. That combination of a filter and an action is called a ‘jail.’
Fail2Ban can be installed on Unix, Linux, and Mac OS.
Zeek (formerly called Bro until 2019) is another great free IPS. This software installs on Linux, Unix, and Mac OS. Zeek uses network-based intrusion detection methods. While tracking the network for malicious activity, Zeek also gives you statistics on the performance of your network devices and traffic analysis.
The detection rules of Zeek operate at the Application Layer, which means that it is able to detect signatures across network packets. Zeek also has a database of anomaly-related detection rules. The detection stage of Zeek’s work is conducted by the ‘event engine.’ This writes packets and suspicious events to file. Policy scripts search through the stored records for signs of intruder activity. You can write your own policy scripts, but they are also included with the Zeek software.
As well as looking at network traffic, Zeek will keep an eye on device configurations. Network anomalies and irregular behavior of network devices are tracked through the monitoring of SNMP traps. As well as regular network traffic, Zeek pays attention to HTTP, DNS, and FTP activity. The tool will also alert you if it detects port scanning, which is a hacker method used to gain unauthorized access to a network.
Choosing an Intrusion Prevention System Tool
When you read through the definitions of the IPS tools in our list, your first task will be to narrow down your selection according to the operating system of the server on which you intend to install your security software.
Remember, these solutions do not replace firewalls and antivirus software – they provide protection in areas these traditional system security methods cannot watch.
Your budget will be another deciding factor. Most of the tools on this list are free to use.
However, the risks of being sued if hackers get hold of the customer, supplier, and employee data stored on your company IT system, will lose your company a lot of money. In that context, the cost of paying for an intrusion prevention system is not that great.
Make an audit of the skills that you have onsite. If you don’t have any staff that could handle the technical task of setting up detection rules, then you would probably be better off selecting a tool that is professionally supported.
Do you currently run an intrusion prevention system? Which do you use? Are you thinking of switching to a different IPS? Leave a comment in the Comments section below to share your experience with the community.
IPS Software Tools FAQs
How is an IPS different from a firewall?
A firewall sits at the boundary of a system – either a network or an individual computer – while an IPS examines packets that travel on the network. One of the blocking strategies that an IPS can implement is to update the rules of a firewall to block access to a suspicious IP address.
Which is better, IDS or IPS?
An intrusion detection system seeks out anomalous behavior and notifies the network administrator when suspicious activity is detected. An intrusion prevention system automatically triggers remediation workflows to block suspicious activity. The decision over which is better depends on personal preference. Do you want to be given the choice to decide whether to take action or do you want that decision to be made for you?
Can an IPS prevent a DDoS attack?
IPS services aren’t suited to defense against DDoS attacks. This is because a DDoS strategy never makes it onto the network where IPSs operate. A DDoS attack sends a flood of malformed connection requests without any intention of ever making a connection. Edge services are a more appropriate mechanism for absorbing DDoS traffic.