Intrusion Prevention System (IPS) — Setup, Configuration, and Best Practices
A practical guide to deploying and configuring an Intrusion Prevention System for network security — from architecture to rule tuning and open-source options.
What is an Intrusion Prevention System?
An Intrusion Prevention System (IPS) is a network security technology that monitors network traffic in real-time, detects malicious activity, and automatically takes action to block or prevent threats — all without human intervention.
IPS vs IDS
| Feature | IDS (Detection) | IPS (Prevention) | |---------|-----------------|------------------| | Mode | Passive (monitor only) | Inline (active blocking) | | Action | Alerts only | Blocks + alerts | | Placement | Mirrored/SPAN port | Inline (between network segments) | | Latency | None | Minimal (microseconds) | | Risk | No disruption | False positive can block legitimate traffic |
An IDS tells you about threats. An IPS stops them.
IPS Architecture
Inline Deployment
The IPS sits directly in the traffic path between network segments:
[Internet] ──→ [Firewall] ──→ [IPS] ──→ [Internal Network]
│
[Management Console]
[Log Server / SIEM]
All traffic passes through the IPS. If the IPS detects malicious traffic, it drops the packets before they reach the internal network.
High-Availability Deployment
For production environments, deploy IPS in HA mode:
┌──→ [IPS Node 1] ──┐
[Firewall] ──→ [TAP] ──→ ──→ [Core Switch]
└──→ [IPS Node 2] ──┘
(Standby)
If the primary IPS fails, traffic is automatically routed through the standby node.
Types of IPS Detection
1. Signature-Based Detection
Compares traffic against a database of known attack patterns (signatures):
- Pros: Highly accurate for known threats, low false positive rate
- Cons: Cannot detect zero-day attacks (unknown signatures)
- Example: Detecting a known SQL injection pattern in an HTTP request
2. Anomaly-Based Detection
Establishes a baseline of "normal" network behavior and flags deviations:
- Pros: Can detect unknown/zero-day attacks
- Cons: Higher false positive rate, requires training period
- Example: Detecting unusual outbound traffic volume from a server
3. Policy-Based Detection
Enforces predefined network policies:
- Pros: Simple and predictable
- Cons: Limited to what you define
- Example: Blocking all SSH traffic from the DMZ to the internal network
4. Protocol Analysis
Validates that traffic conforms to protocol specifications (RFC compliance):
- Pros: Catches protocol abuse and evasion techniques
- Cons: Can be resource-intensive
- Example: Detecting HTTP request smuggling or fragmentation attacks
Setting Up Suricata IPS
Suricata is a powerful open-source IPS/IDS engine maintained by the OISF (Open Information Security Foundation).
Installation
# Ubuntu/Debian
sudo apt update
sudo apt install suricata suricata-update
# Verify installation
suricata --build-infoConfiguration
Edit the main configuration file:
# /etc/suricata/suricata.yaml
# Network variables
vars:
address-groups:
HOME_NET: "[192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
# IPS mode (inline)
af-packet:
- interface: eth0
threads: auto
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1
# Enable rule sources
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rulesEnable IPS Mode with NFQueue
# Configure iptables to send traffic to Suricata
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
sudo iptables -I INPUT -j NFQUEUE --queue-num 0
sudo iptables -I OUTPUT -j NFQUEUE --queue-num 0
# Start Suricata in IPS mode
sudo suricata -c /etc/suricata/suricata.yaml -q 0Update Rules
# Update rule sources
sudo suricata-update
# Enable additional rule sources
sudo suricata-update enable-source et/open
sudo suricata-update enable-source oisf/trafficid
# Apply updated rules
sudo suricata-update
sudo systemctl restart suricataRule Structure
Suricata rules follow a specific format:
action protocol src_ip src_port -> dst_ip dst_port (rule_options)
Example Rules
# Block known malicious IP
drop ip 203.0.113.66 any -> $HOME_NET any (msg:"Blocked malicious IP"; sid:1000001; rev:1;)
# Detect SQL injection in HTTP
drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"SQL Injection attempt"; content:"UNION SELECT"; nocase; http_uri; sid:1000002; rev:1;)
# Detect SSH brute force (threshold)
drop ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SSH brute force"; threshold:type both, track by_src, count 5, seconds 60; sid:1000003; rev:1;)
# Alert on DNS tunneling (large TXT responses)
alert dns any any -> any any (msg:"Possible DNS tunneling"; dns.query; content:"."; pcre:"/^.{100,}/"; sid:1000004; rev:1;)
Rule Actions
| Action | Description |
|--------|-------------|
| alert | Generate an alert (IDS mode) |
| drop | Drop the packet and alert (IPS mode) |
| reject | Drop + send RST/ICMP unreachable |
| pass | Whitelist — allow without further inspection |
IPS Tuning and Optimization
Reducing False Positives
False positives are the biggest challenge in IPS deployment:
- Start in IDS mode — Run detection-only first to understand your baseline
- Review alerts — Identify rules that fire on legitimate traffic
- Suppress noisy rules — Disable or suppress rules that don't apply to your environment
- Threshold — Set thresholds so occasional matches don't trigger blocks
- Whitelist — Create pass rules for known-good traffic patterns
Performance Tuning
# suricata.yaml performance settings
# Use multiple threads
threading:
set-cpu-affinity: yes
detect-thread-ratio: 1.0
# Memory management
stream:
memcap: 256mb
reassembly.memcap: 512mb
# Increase ring buffer
af-packet:
- interface: eth0
ring-size: 50000
threads: 4Monitoring IPS Health
# Check Suricata stats
sudo suricatasc -c "dump-counters" /var/run/suricata/suricata-command.socket
# Key metrics to monitor:
# - capture.kernel_packets: Total packets seen
# - capture.kernel_drops: Dropped packets (increase = overloaded)
# - detect.alert: Total alerts generated
# - flow.memcap_exception: Memory limit reachedIPS Best Practices
- Deploy in IDS mode first — Monitor for 2-4 weeks before switching to IPS
- Keep rules updated — New threats emerge daily; update signatures regularly
- Monitor performance — Watch for packet drops indicating the IPS is overloaded
- Log everything — Send logs to a SIEM (ELK Stack, Splunk, Wazuh)
- Segment your network — Deploy IPS at key chokepoints between zones
- Plan for bypass — Have a fail-open mechanism for IPS hardware failure
- Review regularly — Audit rules and alerts monthly
Conclusion
An IPS is a critical layer in defense-in-depth network security. Whether you choose commercial solutions or open-source tools like Suricata, the key is proper placement, careful tuning, and ongoing maintenance. Start in detection mode, understand your traffic patterns, then gradually enable prevention.
For more security topics, read our OWASP Top 25 Web Security Vulnerabilities guide and our Linux Server Hardening Checklist.