IPS (Intrusion Prevention
System) is a
system similar to an IDS (Intrusion Detection System), but with the
goal of actively preventing an attack, not only detecting it. The
difference between the two is that an IPS, in addition of being able to
detect anomalous traffic, is also able to handle it. This way, it's
possible to achieve a higer degree of network security. IPS are
components in a firewall system.
don't know the correct
meaning of the word firewall. Firewall is an integrated protection
system used in computer networks. This system is made of packet
filters, state filters, IDS, IPS, proxies, network antivirus, etc. So,
for example, it is wrong that a machine running Iptables is the
firewall of a network. That's because Iptables is merely a packet and
states filter. It can only analyse data from the headers of the IP
packets passing through it (this means only source and destination
addresses, source and destination ports, transport protocol used, and
so on). A packet and states filter can't, for example, analyse the
contents of a packet (payload). Assuming that any machine in the
internet can connect to the port 80 of our web server or to the port 25
of our e-mail server, a packet with an attack or virus will pass
through Iptables and will get in our network. Iptables only checks the
packet source and destination, ignoring its contents.
The following picture shows an example of a firewall system. The gray
area represents the system.
In this case the IPS
used, HLBR, was positioned before the iptables packet filter. This way
we can even protect the iptables machine itself. It is also clear from
the picture that it isn't possible to provide a reasonable degree of
security to a network only with a machine running a packet and states
filter (as people usually do).
Now, look at the following picture:
Another HLBR was connected between the internal network and the network
servers, in order to provide an even higher degree of security to these
servers. Also, a honeypot or honeynet was implemented just after the
Internet, because HLBR can divert the attacks to that honeypot/net.
The most important conclusion is that a firewall system must be made
from several security elements. Each element works in a different way
and one doesn't replace the others.