Talk:Intrusion prevention system

Comment
Is it correct to add what test that can bee found? Both from vendor and from independent part as ISCA Labs ?

-

I don't think "Intrusion prevention systems were invented by One Secure which was latter acquired by NetScreen Technologies that was aquired by Juniper Networks in 2004" concerns IPS. This is more a company ad.

Indeed, IPS or inline IDS is attributed to Jed Haile who first developed inline IDS while working for the Department of Energy. Jed's work later became Hogwash (with help from Jason Larsen) followed by an independent release which became part of snort named snort-inline. Additionally, Vern Paxon implemented an inline IDS well before IPS was a glimmer in Nir Zuk's eyes.

Umm, what about Network ICE?
IPSs were simultaneously invented by a lot of people. The first instance of IPS I am familiar with is the BlackICE engine from NetworkICE. That was surely the first commercial IPS. NetworkICE had an in-line IPS on the market in 1999. Well ahead of OneSecure and the others.

I think its best to leave off who invented it. Let's assume a number of different groups were developing the technology simultaneously in the late 1990s.

Does IPS mean inline
Long before (Internet time long before) inline IPS like Hogwash, most IDS had the functionality of performing prevention. The most common technique was the RESET packet. An IDS that saw an attack would send a RESET packet to the systems involved, killing the connection. This did not allow for UDP or ICMP protection. Also, this technique was vulnerable to a race condition between the attack and the RESET packet. Another technique, implemented in Checkpoint's OPSEC for example, was to send a command to the firewall to block the offending condition (most likely source address, but could be a particular subnet or even port). This did address follow-on unspoofed UDP attacks. It also proved useful against scan and exploit oriented attacks like worms.

The inline IPS was just a step in integration between the firewall and the IDS. I would debate giving too much credit for a particular instance or product. To conclude, prevention occured at the host-based level in anti-virus products a decade before the network layer.

Propose move to Intrusion prevention system (no dash)
Any objections? --Romanski (talk) 13:53, 21 April 2008 (UTC)

I second the move. The current article title is inconsistent with the rest of the article. Most people are going to search for Intrusion prevention system or IPS, not Intrusion-prevention system.--71.104.232.71 (talk) 16:06, 9 August 2009 (UTC)


 * IMHO, the correct term is without the "-"; at least that's the way I've seen it in most sources (eg: NIST 800-series guide). Regards, DPdH (talk) 16:22, 2 September 2009 (UTC)

It is totally incorrect to merge the Intrusion prevention system topic with the topic Intrusion detection system; you are confusing two sorts of things: one can be analysis, the other is a tool. I hope you check your country accountability regulation if you have other source for accounting spendings as this matters or refers to ISACA and COBITs analysis. Max LeBlan —Preceding undated comment added 10:08, 6 June 2013 (UTC)

These are two separate things that are related. IDS only logs malicious activity while IPS attempts to prevent malicious activity. Regalrecaller (talk) 20:54, 9 April 2014 (UTC)

HIPS and codecs...
Enabling HIPS with certain codecs on (Especially DVD Codecs) may cause the program that is playing the DVD to crash before the DVD even starts. Is this confirmed or waiting to be confirmed? Example: If you install Cole2k.net's advanced codec package and use Spyware Terminator's HIPS Protection, it will freeze Windows Media Center when using those codecs. 66.168.19.135 (talk) 05:07, 4 July 2008 (UTC)

Comment, references and external links
The Ref 1 and 6 is the same, is it a known problem in Wiki? The external document (external link) "NIST SP 800-31, Intrusion Detection Systems" has been officially replaced by "NIST SP 800-83, Guide to Malware Incident Prevention and Handling" see the Section 1.2 page 1-1. Also have to be deleted here. — Preceding unsigned comment added by 194.39.218.10 (talk) 10:27, 9 November 2011 (UTC)

Isn't this IDS behaviour?
Hi.

Don't really know if I should make a comment about this or not. Just reading through the detailed overview os an IPDS "More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address." Just noticed that in that quote it mentions that an IPS can take an action such as sending an alarm if malicous traffic is detected. If it simply let the traffic through doing nothing else but sending an alarm alerting some personal such as a network manager wouldn't that be kind of useless? By the time the network manager could do anything about it the damage could have already been done and the malicous packets could have got through. That sounds similar to IDS behaviour only logging events but letting the malicous traffic through. An IDS only makes logs of alerts but does nothing to stop them, it's like a guard dog with no teeth, it will bark but won't bite. — Preceding unsigned comment added by 86.27.52.108 (talk) 12:38, 29 May 2012 (UTC)

I concur that sending an alarm is not a differentiator from IDS. — Preceding unsigned comment added by 15.203.233.81 (talk) 21:54, 20 July 2015 (UTC)

Like....what?
Can someone give one or more examples/links in the article? There's not even 1 example of a IPS system.... is SNORT one? 128.193.8.44 (talk) 02:43, 1 January 2013 (UTC)

Answer : Sourcefire, Preoventia GX - IBM , Tipping Point - HP , Mcafee IPS

For testing purposes
Currently, the CompTIA Network+ exam distinguishes between intrusion "prevention", and intrusion "detection" systems. I would suggest NOT merging these two things together, just to avoid confusion among students preparing to take this certification test. If the test is changed in the future, then I think that is when these two topics should be merged together.

IDS vs IPS
An IDS is a passive device or software that detects and reports intrusive behavior. An IPS is a active device or software that detects, reports and will block intrusive behavior by shuting down the conection.

CISCO defines it here

BMellon (talk) 21:38, 3 September 2013 (UTC)