Safeguard
Best Practices

What is an Intrusion Prevention System (IPS)

An IPS blocks malicious traffic inline in real time, but it can't stop supply chain attacks hidden inside trusted code and dependencies.

James
Principal Security Architect
7 min read

An Intrusion Prevention System (IPS) is a network security control that sits inline with traffic — not just watching it, like an IDS, but actively blocking it. It inspects packets against known-bad signatures, protocol anomalies, or behavioral rules, and when it finds a match, it drops the packet, resets the connection, or blocks the source IP before the payload reaches its target. The category dates back to the late 1990s with tools like Snort (1998), and it now spans dedicated appliances, next-gen firewalls with built-in threat prevention (Palo Alto, Fortinet, Cisco Firepower), and cloud-native services like AWS Network Firewall and Azure Firewall Premium. When Log4Shell (CVE-2021-44228) went public on December 9, 2021, IPS vendors shipped detection signatures for the JNDI lookup pattern within 24–48 hours — buying defenders time while patches rolled out. This post covers how IPS works, where it fits, and where it falls short against modern software supply chain threats.

How does an IPS actually stop an attack in real time?

An IPS stops an attack by sitting directly in the traffic path (inline, not out-of-band like a tap-based IDS) and making an allow/block decision on every packet or flow before it's forwarded. It typically works through three inspection methods: signature matching against a database of known attack patterns (similar to antivirus, but for network traffic), protocol anomaly detection that flags malformed or non-compliant packets (e.g., a DNS response over 512 bytes without EDNS0), and stateful behavioral analysis that watches for patterns like a single host issuing 500+ failed SSH login attempts in under a minute. Snort and Suricata, the two dominant open-source engines, both ship rule sets — Emerging Threats and Talos, respectively — with tens of thousands of signatures updated daily. Commercial platforms like Palo Alto's Threat Prevention or Trend Micro TippingPoint add machine-learning-based zero-day detection on top of signatures, because signature-only IPS misses anything without a published rule.

What's the actual difference between an IPS and an IDS?

The difference is enforcement: an IDS (Intrusion Detection System) only alerts, while an IPS blocks. An IDS like a Snort deployment in "tap" mode copies traffic via a SPAN port or network tap, analyzes it, and fires an alert to a SIEM or SOC queue — the malicious packet has already reached its destination by the time anyone sees the alert. An IPS deployed inline can drop that same packet in under a millisecond of added latency for well-tuned signature sets, before it ever reaches the target host. The tradeoff is risk: a false positive in IDS mode just generates a noisy alert, but a false positive in IPS mode can break production traffic — which is why many security teams initially deploy new rule sets in "detect-only" IPS mode for 1–2 weeks before flipping them to blocking mode. Gartner's Magic Quadrant has folded standalone IPS into the broader Network Firewall / secure network category since 2019, reflecting that most enterprises now buy inline prevention as a firewall feature rather than a separate box.

What types of IPS deployment models are used in production?

There are four common deployment models: network-based (NIPS), host-based (HIPS), wireless (WIPS), and network behavior analysis (NBA). A NIPS sits at a chokepoint like a data center edge or between network segments and inspects all traffic crossing it — this is what most people mean by "IPS." A HIPS, like OSSEC or CrowdStrike Falcon's prevention policies, runs as an agent on an individual server or endpoint and can block malicious system calls or process behavior even on encrypted traffic the network layer never sees. WIPS monitors 802.11 traffic for rogue access points and deauthentication attacks. NBA tools baseline normal traffic volume and flag deviations, such as a database server that normally sends 2 GB/day suddenly exfiltrating 40 GB in an hour. Cloud environments have pushed a fifth model — CNAPP-integrated inline inspection, such as AWS Network Firewall or GCP Cloud IPS — since traditional inline hardware appliances can't sit inside a VPC the way they sat in a physical data center rack.

Can an IPS stop a zero-day or a software supply chain attack?

No — a traditional signature-based IPS cannot reliably stop a zero-day or a supply chain compromise, because both attack the application layer with novel code rather than a known network exploit pattern. The XZ Utils backdoor (CVE-2024-3094), discovered on March 29, 2024, was injected into build scripts of a compression library used by OpenSSH indirectly on Debian and Fedora systems — it operated inside a legitimate, signed SSH connection an IPS would have no reason to flag. Similarly, the 2020 SolarWinds/SUNBURST campaign moved through DNS traffic to attacker-controlled domains that were, at the time, unflagged and reputationally clean, so IPS reputation feeds didn't catch it until threat intel caught up weeks later. IPS platforms are built to catch exploitation of known vulnerabilities in transit — a Log4Shell payload crossing the wire, a SQL injection string in an HTTP request — not malicious code shipped inside a dependency that gets pulled at build time via npm install or pip install. That gap is exactly why software composition analysis (SCA) and SBOM-based tooling exist as a separate, necessary layer.

How much does IPS deployment actually reduce breach risk?

IPS deployment reduces risk primarily against known, network-exploitable vulnerabilities, but IBM's Cost of a Data Breach Report 2023 still put the average breach lifecycle at 204 days to identify and 73 days to contain even at organizations running mature perimeter defenses including IPS. That's because the report's dataset skews toward breaches that originated from stolen credentials (the top initial attack vector at 15% of breaches) and phishing, not network-layer exploits an IPS is built to catch. Verizon's 2024 DBIR found that exploitation of vulnerabilities as an initial access vector nearly tripled year-over-year, driven heavily by attacks on edge devices and VPNs — a category IPS does help with, provided signatures exist and are current. The practical takeaway: IPS meaningfully reduces exposure to known CVEs actively being scanned and exploited over the network, but it's one control in a stack, not a substitute for patching, identity controls, or application-layer supply chain visibility.

What should a security team actually look for when choosing or tuning an IPS?

A security team should prioritize signature freshness, inline throughput at their actual traffic volume, and a false-positive rate low enough to run in blocking mode rather than detect-only mode. Ask any vendor how often their signature database updates — Talos and Emerging Threats both push daily, while some commercial appliances batch updates weekly, which matters when a CVE like Log4Shell needs same-day coverage. Check throughput specs against real traffic, not marketing max numbers: a 10 Gbps-rated appliance running full TLS decryption and deep packet inspection often delivers closer to 3–4 Gbps in practice, so undersizing causes either dropped packets or, worse, engineers disabling inspection under load. Finally, budget time for tuning — a fresh Suricata deployment with the full Emerging Threats ruleset enabled will generate an unmanageable volume of alerts against normal enterprise traffic until rules are scoped to the actual protocols, ports, and asset criticality in that environment, typically a 2–4 week tuning cycle before it's trustworthy in blocking mode.

How Safeguard Helps

IPS covers the network layer, but the fastest-growing breach path today runs through code and dependencies before a single packet ever needs blocking — which is where Safeguard focuses. Safeguard generates and ingests SBOMs across your build pipeline to maintain a live inventory of every open-source component in production, then runs reachability analysis to determine whether a vulnerable function in a dependency like Log4j or XZ Utils is actually called by your application code, cutting through the noise of CVEs that exist on paper but pose no real exploit path. Griffin AI, Safeguard's detection engine, correlates that reachability data with exploit intelligence to prioritize the handful of findings that matter out of the hundreds an SCA scan typically returns. When a fix is available, Safeguard opens an auto-fix pull request with the minimal version bump needed, so remediation ships in a PR review cycle instead of a multi-week backlog — closing the exact supply chain gap that network-layer IPS was never designed to cover.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.