Intrusion prevention systems, also known as IPSs, offer ongoing protection for the data and IT resources of your company. These security systems work within the organization and make up for blind spots in the traditional security measures that are implemented by firewalls and antivirus systems.
Here is our list of the best IPS tools:
- Datadog Real-time Threat Monitoring EDITOR’S CHOICE A combination of cloud-based network monitoring and a SIEM system that work together to watch over network performance while also spotting anomalous behavior that could indicate an insider threat or an intruder. Start a 14-day free trial.
- SolarWinds Security Event Manager (FREE TRIAL) This powerful security tool uses both network-based and host-based intrusion detection methods and takes preventative action. Pre-installed presets will get you up and running in no time. Installs on Windows Server or via cloud. Start a 30-day free trial.
- ManageEngine Endpoint DLP Plus (FREE TRIAL) This software package blocks off the options for outright intruders and then focuses on detecting account takeover and insider threats. Runs on Windows Server. Start a 30-day free trial.
- CrowdStrike Falcon XDR This security package offers threat detection and automated responses. This is a cloud-based system with device-based agents.
- Splunk Widely-used network analysis tools that has intrusion prevention features. Available for Windows, Linux, and in the Cloud.
- Sagan Free intrusion prevention system that mines log files for event data. Installs on Unix, Linux, and Mac OS, but can gather log messages from windows systems.
- OSSEC The Open Source HIDS Security is highly respected and free to use. Runs on Windows, Linux, Mac OS, and Unix, but doesn’t include a user interface.
- Open WIPS-NG Open-source command-line utility for Linux that detects intrusion on wireless networks.
- Fail2Ban Free lightweight IPS that runs on the command line and is available for Linux, Unix, and Mac OS.
- Zeek Network-based intrusion detection system that operates on live traffic data. This tool installs on Linux, Unix, and Mac OS and is free to use.
Security weaknesses
Any system is only as strong as its weakest link. In most IT security strategies, the weakness lies with the human element of the system. You can enforce user authentication with strong passwords, but if users write passwords down and keep the note close to a device that has network access, you might as well not bother enforcing user authentication.
There are many ways that hackers can target employees of a company and trick them into disclosing their login details.
Phishing
In phishing attempts, the victim is presented with a link within an email that leads to a fake login page that looks like the usual entry screen of the mimicked service. When the victim tries to log in, that username and password go into the hacker’s database and the account is compromised without the user realizing what has happened.
Spearphishing
Hackers target company employees with phishing scams. They also practice spear phishing, which is a little more sophisticated than phishing. With spear phishing, the fake email and login page will be specifically designed to be like the site of the company being hacked and the emails will be directed specifically at the employees of the company. Spear phishing attempts are often used as phase one of a break-in attempt. The initial pass of a hack is to learn details about some of the employees of a company.
Doxxing
The information gathered in the spear phishing phase can be blended together with research into individuals by examining their social media pages, or combing through their career details. This targeted research is called doxxing. With the information gleaned, a targeted hacker can build up profiles of key players in a business and map the relationships of those people to other company personnel.
The doxxer will aim to get enough information in order to successfully mimic one employee. With this identity, he can gain the trust of others in the targeted company. By these tricks, the hacker can get to know the movements of the company’s accounting staff, its executives, and its IT support staff.
Whaling
Once the hacker has earned the trust of various staff members, he can trick login details out of anyone in the business. With a lot of confidence and the knowledge of the way people work together in a business, a con artist can even steal large amounts of money from a company without even having to log into the system; orders for bogus transfers can be given over the phone. This targeting of key personnel in a business is called whaling.
Attack strategies
Hackers have learned to use phishing, spear phishing, doxxing, and whaling to get around firewalls and antivirus software. If a hacker has the admin password, he can install software, set up user accounts, and remove security processes and get access to the entire network, its equipment, servers, databases, and applications unhindered.
These new attack strategies have become so common that company network security administrators need to plan defenses that assume that the systems boundary security measures have been compromised.
In recent years, the advanced persistent threat (APT) has become a common strategy for hackers. In this scenario, a hacker can spend years with access to a company network, accessing data at will, using company resources to run covering VPNs through the company’s gateway. The hacker can even use the company’s servers for intensive activities such as cryptocurrency mining.
or laterAPTs go undetected because the hacker is in the system as an authorized user and he also makes sure to delete any log records that show his malicious activity. These measures mean that even when the intrusion is detected, it can still be impossible to trace and prosecute the intruder.
Intrusion detection systems
An essential element of intrusion prevention systems is the Intrusion Detection System (IDS). An IDS is designed to look for unusual activity. Some detection methodologies mimic the strategies employed by firewalls and antivirus software. These are called signature-based detection methods. They look for patterns in data to spot known indicators of intruder activity.
A second IDS method is called anomaly-based detection. In this strategy, the monitoring software looks for unusual activities that either don’t fit the logical pattern of user or software behavior or that don’t make sense when examined in the context of the expected duties of a particular user. For example, you wouldn’t expect to see a user in the Personnel Department logged in as altering the configuration of a network device.
An intruder does not necessarily need to be an outsider. You can get intrusion into areas of your network by employees exploring beyond the facilities to which they are expected to need access. Another problem lies with employees who exploit their authorized access to data and facilities in order to destroy or steal them.
Intrusion prevention
Intrusion prevention systems work to the maxim “better late than never.” Ideally, you wouldn’t want any outsiders getting unauthorized access to your system. However, as explained above, this is not a perfect world and there are many cons that hackers can pull to trick authorized users into giving away their credentials.
Specifically, intrusion prevention systems are extensions to intrusion detection systems. IPSs act once suspicious activity has been identified. So, there may already have been some damage done to the integrity of your system by the time the intrusion has been spotted.
The IPS is able to perform actions to shut down the threat. These actions include:
- Restoring log files from storage
- Suspending user accounts
- Blocking IP addresses
- Killing processes
- Shutting down systems
- Starting up processes
- Updating firewall settings
- Alerting, recording, and reporting suspicious activities
The responsibility of admin tasks that make many of these actions possible is not always clear. For example, the protection of log files with encryption and the backing up of log files so that they can be restored after tampering are two threat protection activities that are usually defined as intrusion detection system tasks.
Limitations of intrusion prevention systems
There are many potential points of weakness in any IT system, but an IPS, although very effective at blocking intruders, is not designed to close down all potential threats. For example, a typical IPS does not include software patch management or configuration control for network devices. The IPS won’t manage user access policies or prevent employees from copying corporate documents.
IDSs and IPSs offer threat remediation only once an intruder has already begun activities on a network. However, these systems should be installed to provide an element in a series of network security measures to protect information and resources.
The best Intrusion Prevention Systems
There is a remarkably large number of IPS tools available at the moment. Many of these are free. However, it would take you a long time to study and try every single IPS on the market. This is why we have put together this guide to intrusion prevention systems.
1. Datadog Real-time Threat Monitoring (FREE TRIAL)
Our methodology for selecting an IPS tool
We reviewed the IPS market and analyzed tools based on the following criteria:
- Procedures to detect email-bound cons, such as phishing
- Automated attack mitigation steps
- The ability to interface with other IT security systems
- Settings to let the user allow automated response
- Data storage for historical analysis plus analytical tools in the dashboard
- Attack protection for the IPS’s own processes and logs
- A free, demo, trial, or money-back guarantee
- Value for money
Datadog’s Real-time Threat Monitoring is part of its network monitoring system which includes a built-in threat detection platform. Datadog is a cloud-based service that is delivered in modules to cover network and device monitoring, applications monitoring, and web performance monitoring.
Key Features:
- Cloud-based
- Network threat monitoring
- Cloud security posture management
- Cloud workload security
The security features of the network traffic monitor are based on Threat Detection Rules. These are supplied, but it is possible to create new rules. They establish a pattern of traffic that the system looks out for and if one of the combinations of events that a rule describes gets spotted, the service triggers an alert. The service also includes Security Rules, which are similar to Threat Detection Rules but they specify searches in several different data sources.
The Security Monitoring service is an add-on to the standard Infrastructure Monitoring or Network Performance Monitoring modules of Datadog and it is priced per GB of analyzed data. Datadog offers a 14-day free trial of the Security Monitoring service.
Pros:
- Live activity tracking across networks and internet links
- Analytical tools for manual analysis and threat identification
- A menu of cloud security options
- Protect on-premises and cloud systems
- Unified threat hunting
- Tailoring for standards compliance
Cons:
- A collection of services rather than a single product
2. SolarWinds Security Event Manager (FREE TRIAL)
EDITOR’S CHOICE
Datadog Real-time Threat Monitoring is our #1 pick for an IPS solution because it enables you to set up security policies that cross platforms, so its data loss prevention and threat detection procedures won’t block your users who need access to off-site resources. The Datadog platform is able to draw an invisible boundary around dispersed resources and users to create a unified monitoring space. This virtual environment can then be tracked for threats to data integrity and privacy through SIEM-based techniques that include automated responses to keep your company within compliance with the standards that it needs to follow. This tool is flexible and expandable with options to integrate other modules, such as an APM and a network monitor to implement unified performance and security monitoring.
Download: Start 14-day FREE Trial
Official Site: https://www.datadoghq.com/threat-monitoring/
OS: Cloud-based
The SolarWinds Security Event Manager controls access to log files, as the name suggests. However, the tool also has network monitoring capabilities. The software package doesn’t include a network monitoring facility, but you can add this capability by using the free tool, Snort for network data gathering. This setup gives you two perspectives on intrusion. There are two categories of detection strategies used by IDSs: network-based and host-based.
- A SIEM
- Log server and log file manager
- Feed in network data
- Event correlation rules
- Active responses for threat remediation
A host-based intrusion detection system examines the records contained in log files; the network-based system detects events in live data.
The instructions to detect signs of intrusion are included with the SolarWinds software package – these are called event correlation rules. You can choose to leave the system to just detect intrusion and block threats manually. You can also activate the IPS functions of the SolarWinds Security Event Manager to get threat remediation performed automatically.
The IPS section of the SolarWinds Security Event Manager implements actions when threats are detected. These workflows are called Active Responses. A response can be linked to a specific alert. For example, the tool can write to firewall tables to block network access to an IP address that has been identified as performing suspicious acts on the network. You can also suspend user accounts, stop or start processes, and shut down hardware or the entire system.
The SolarWinds Security Event Manager can only be installed on Windows Server. However, its data sources are not limited to Windows logs – it can also gather threat information from Unix and Linux systems connected to host Windows systems over the network.
You can get a 30-day free trial of the SolarWinds Security Event Manager to test it for yourself.
Log searces for event detection
Collects Windows Events, Syslog, and application logs
Automated threat detection searches
Automated threat remediation
Live scans and on-demand auditing
No SaaS version
3. ManageEngine Endpoint DLP Plus (FREE TRIAL)
SolarWinds Security Event Manager comes with hundreds of correlation rules on install that alert you to any suspicious behaviors in real-time. It’s fairly easy to set up new rules with thanks to the normalization of log data. We particularly like the new dashboard that gives you a front-row-seat when it comes to identifying potential network vulnerabilities.
Download: Get 30-day FREE Trial
Official Site: solarwinds.com/security-event-manager
OS: Windows 10, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure
ManageEngine Endpoint DLP Plus detects sensitive data and then blocks access to the files that contain it.
- File protection
- Data movement controls
- User activity tracking
If any intruder wants to steal data on a system that is protected by Endpoint DLP Plus, the only option is to hijack a user account. This is because the only way to access data is through a designated trusted application, which is guarded by access rights credentials. Suspicious access attempts through these applications trigger deeper scrutiny of that user account’s activities. This could be to track an insider threat or identify a stolen account.
The tool also controls file movements to USB devices, print queues, email systems, and cloud upload facilities.
Endpoint DLP Plus is a software package for Windows Server. There is a Free Edition to manage data on up to 25 computers. The paid version is called the Professional Edition and you can get it on a 30-day free trial. If you decide not to buy at the end of the trial, the package switches over to the Free Edition.
Compliance with PCI DSS, HIPAA, GDPR, and other security standards
File access restrictions
Suspicious user tracking and analysis
Not a SaaS package
ManageEngine Endpoint DLP Plus Start 30-day FREE Trial
4. CrowdStrike Falcon XDR
CrowdStrike Falcon XDR is an endpoint detection and response system with added interaction with third-party security tools. The system uses security orchestration, automation, and response (SOAR) to improve both threat hunting and threat mitigation.
- Hybrid system
- Coordinates on-premises security tools
- Orchestrates threat responses
CrowdStrike Falcon is a cloud platform of security modules and the XDR builds on a couple of other products on the SaaS system. The first of these is an endpoint protection system called CrowdStrike Falcon Prevent – a next-generation anti-virus. The Prevent tool installs on each endpoint. There are versions of this system for Windows, macOS, and Linux. This system is able to continue protecting endpoints even when the network is down.
The next layer up in the XDR solution is Falcon Insight. This is an endpoint detection and response (EDR) system that coordinates the activity of each Falcon Prevent installation in the enterprise. This gives a system-wide view and creates a private threat intelligence network. The cloud module of Falcon Insight receives activity data from each Falcon Prevent instance, pools these feeds, and scans through for indicators of compromise (IoCs). If a threat is detected, Insight sends back remediation instructions to the Prevent units.
Falcon XDR adds on SOAR, which means that it can collect event data from third-party tools and unprotected devices, such as switches and routers that don’t have a Falcon Prevent service available. The system is also able to send instructions to non-Falcon products, such as firewalls. Start a 15-day free trial.
Endpoint detection and response with added features
Security orchestration, automation, and response
Endpoint protection continues if the device is isolated from the network
Requires Falcon PRevent to be installed on every endpoint
5. Splunk
Splunk is a network traffic analyzer that has intrusion detection and IPS capabilities.
- Flexible data processing tool
- SIEM option
- Automated responses
There are four editions of Splunk:
- Splunk Free
- Splunk Light (30-day free trial)
- Splunk Enterprise (60-day free trial)
- Splunk Cloud (15-day free trial)
All versions, except for Splunk Cloud run on Windows and Linux. Splunk Cloud is available on a Software-as-a-Service (SaaS) basis over the internet. Splunk’s IPS functions are only included in the Enterprise and Cloud editions. The detection system operates both on network traffic and on log files. The detection method searches for anomalies, which are patterns of unexpected behavior.
A higher level of security can be gained by opting for the Splunk Enterprise Security add-on. This is available on a seven-day free trial. This module enhances the anomaly detection rules with AI and includes more executable actions for intrusion remediation.
Suitable for a range of data analysis functions
Specialist threat hunting module
Choice of on-premises or SaaS
Free version now only lasts 60 days
6. Sagan
Sagan is a free intrusion detection software system that has script execution capabilities. The facility to connect actions to alerts makes this an IPS.
- Host-based intrusion detection system
- Free to use
- Automated responses
The main detection methods of Sagan involve the monitoring of log files, which means that this is a host-based intrusion detection system. If you also install Snort and feed output from that packet sniffer into Sagan, you will also get network-based detection facilities from this tool. Alternatively, you can feed network data gathered with Zeek (formerly Bro) or Suricata into the tool. Sagan can also exchange data with other Snort-compatible tools, including Snorby, Squil, Anaval, and BASE.
Sagan installs on Unix, Linux, and Mac OS. However, it is also able to pick up event messages from connected Windows systems. Extra features include IP address location tracing and distributed processing.
A free on-premises package
Combines with network-based IDSs
Log-standing and highly respected system
Requires technical skills to set up
7. OSSEC
OSSEC is a very popular IPS system. Its detection methodologies are based on examining log files, which makes it a host-based intrusion detection system. The name of this tool stands for ‘Open Source HIDS Security’ (despite the lack of an ‘H’ there).
- Free to use
- Highly regarded
- Host-based
The fact that this is an open-source project is great because it also means that the software is free to use. Despite being open-source, OSSEC is actually owned by a company: Trend Micro. The downside of using free software is that you don’t get support. The tool is widely used and the OSSEC user community is a great place to get tips and tricks on using the system. However, if you don’t want to risk relying on amateur advice for your company software, you can buy a professional support package from Trend Micro.
The detection rules of OSSEC are called ‘policies.’ You can write your own monitoring policies or get packs of them for free from the user community. It is also possible to specify actions that should be implemented automatically when specific warnings arise.
OSSEC runs on Unix, Linux, Mac OS, and Windows. There is no front end for this tool, but you can interface it with Kibana or Graylog. Visit their downloads page.
Large user community
Detection rules available for free
Customizable with a detection rule language
A professional support package is available for a fee
See also: The Best HIDS Tools
8. Open WIPS-NG
If you specifically need an IPS for wireless systems, you should give Open WIPS-NG a try. This is a free tool that will detect intrusion and allow you to set up automatic responses.
- Free tool
- Scans wireless channels
- Provides intrusion detection
Open WIPS-NG is an open source project. The software can only be run on Linux. The key element of the tool is a wireless packet sniffer. The sniffer element is a sensor module, which works both as a data gatherer and a transmitter of solutions to block intrusion. This is a very competent tool because it was designed by the same people that wrote Aircrack-NG, which is well-known as a hacker tool.
Other elements of the tool are a server program, which runs the detection rules, and an interface. You can see wifi network information and potential problems on the dashboard. You can also set actions to kick in automatically when an intrusion is detected.
Written by the creators of a hacker tool
Detects intruders
Facility to boot off intruders
Command line system that only runs on Linux
9. Fail2Ban
Fail2Ban is a lightweight IPS option. This free tool detects intrusion by host-based methods, which means that it examines log files for signs of unauthorized activities.
- Free tool
- Host-based detection
- Blocks IP addresses
Among the automated responses that the tool can implement is an IP address ban. These bans usually only last a few minutes, but you can adjust the blocking period in the utility’s dashboard. The detection rules are called ‘filters’ and you can associate a remediation action with each of them. That combination of a filter and an action is called a ‘jail’.
Fail2Ban can be installed on Unix, Linux, and Mac OS.
Fast log file scanning
Create a jail by combining filters with actions
Runs on Linux, macOS, and Unix
No GUI interface
10. Zeek
Zeek (formerly called Bro until 2019) is another great free IPS. This software installs on Linux, Unix, and Mac OS. Zeek uses network-based intrusion detection methods. While tracking the network for malicious activity, Zeek also gives you statistics on the performance of your network devices and traffic analysis.
- Free tool
- Scans network traffic
- Selects and stores suspicious packets
The detection rules of Zeek operate at the Application Layer, which means that it is able to detect signatures across network packets. Zeek also has a database of anomaly-related detection rules. The detection stage of Zeek’s work is conducted by the ‘event engine.’ This writes packets and suspicious events to file. Policy scripts search through the stored records for signs of intruder activity. You can write your own policy scripts, but they are also included with the Zeek software.
As well as looking at network traffic, Zeek will keep an eye on device configurations. Network anomalies and irregular behavior of network devices are tracked through the monitoring of SNMP traps. As well as regular network traffic, Zeek pays attention to HTTP, DNS, and FTP activity. The tool will also alert you if it detects port scanning, which is a hacker method used to gain unauthorized access to a network.
Can operate as a network monitor as well as a security package
Device configuration protection
Spots port scanning attempts
No professional support
Choosing an Intrusion Prevention System Tool
When you read through the definitions of the IPS tools in our list, your first task will be to narrow down your selection according to the operating system of the server on which you intend to install your security software.
Remember, these solutions do not replace firewalls and antivirus software – they provide protection in areas these traditional system security methods cannot watch.
Your budget will be another deciding factor. Most of the tools on this list are free to use.
However, the risks of being sued if hackers get hold of the customer, supplier, and employee data stored on your company IT system, will lose your company a lot of money. In that context, the cost of paying for an intrusion prevention system is not that great.
Make an audit of the skills that you have onsite. If you don’t have any staff that could handle the technical task of setting up detection rules, then you would probably be better off selecting a tool that is professionally supported.
Do you currently run an intrusion prevention system? Which do you use? Are you thinking of switching to a different IPS? Leave a comment in the Comments section below to share your experience with the community.