IPS Concept Guide

FortiOS
Table of Contents
Change log 3
What is IPS? 4
Intended audience 4
About this guide 4
IPS concepts 5
IPS detection methodologies 5
Signature-based detection 5
Statistical anomaly-based detection 6
Behavioral analysis detection 7
IPS types 7
NIPS 7
W IPS 8
HIPS 8
NBA 9
IPS use cases 10
Conclusion 11
More information 13
Appendix A: Documentation references 13
Feature documentation 13
Solution hub 13

IPS Concept Guide 2

Change log
Date Change description

2024-02-15 Initial release.

2024-03-13 Updated IPS use cases on page 10 .

IPS Concept Guide 3

W hat is IPS?
Intrusion detection is the process of monitoring the events occurring in a computer system or network and
analyzing them for signs of possible incidents, which are violations or imminent threats of violation of
computer security policies, acceptable use policies, or standard security practices. An intrusion detection
system (IDS) is a network security tool that monitors network traffic and devices for known malicious
activity, suspicious activity, or security policy violations.

An intrusion prevention system (IPS) is software that has all the capabilities of an IDS and can also attempt
to stop possible incidents. IDS and IPS technologies offer many of the same capabilities, and administrators
can usually disable prevention features in IPS products, causing them to function as IDSes.

You can implement IPS in the form of a standalone appliance or as part of the feature set of a next
generation firewall. IPS uses signatures, protocol decoders, heuristics (or behavioral monitoring), threat
intelligence, and advanced threat detection to prevent exploitation of known threats. Some IPS
implementations can even help prevent zero-day threats. FortiGate IPS can perform deep packet inspection
to scan encrypted payloads to detect and prevent threats from attackers.

This guide aims to dive deeper into different IPS features and technologies and introduce how FortiGate IPS
implements these features.

Intended audience

This guide is intended for an audience who is interested in understanding how IPS technology works and the
benefit it can bring to organizations of all shapes and sizes. Readers should have a good understanding of
networking and security concepts, such as traffic flows, application traffic, network protocols, CVE-ID,
vulnerabilities, and exploits. Junior to intermediate level network security specialists should be comfortable
with the content in this guide.

About this guide

This guide aims to introduce the concept of IPS, as well as the products and techniques Fortinet uses to
implement it. After reading this guide readers should be comfortable talking about different IPS
methodologies and types and have a good understanding of where these systems reside in a network.

IPS Concept Guide 4

IPS concepts
To better understand intrusion prevention systems (IPS), this guide divides the concepts into the following:

IPS detection methodologies on page 5 Available options used to detect intrusions

IPS types on page 7 Common IPS types and their use cases

IPS detection methodologies

This guide discusses the two major detection methodologies used by IPS. These include signature-based
and statistical anomaly-based detection. Each offers a different approach to detection, and therefore is
suited for identifying and preventing different intrusion types.

Signature-based detection
Signature based detection uses uniquely identifiable signatures that are in exploit code. Exploit code is
malicious code that takes advantage of vulnerabilities in a system to compromise the system. W hen exploits
are discovered, their signatures go into an increasingly expanding database. Fortinet maintains a database
that is constantly updated as new exploits are discovered. Fortinet also uses artificial intelligence and
machine learning to analyze billions of events every day to discover new vulnerabilities and exploitations
and produce signatures to identify such threats.

Fortinet IPS uses these signatures in the following ways:

Identify the individual exploit itself. Fortinet IPS uses exploit-facing

Exploit-facing signatures to match incoming known exploits and block them before they
reach the target system.

Identify the vulnerability in a system that may be used for an attack. This
method allows the IPS to identify potential exploit variants that have not
Vulnerability-facing
been previously observed. However, this method comes with the drawback
of false positives: benign packets mislabeled as threats.

FortiOS offers administrators robust pattern signature selection using filters based on severity, target,
operating system, application, and protocol. Each signature has a direct link to its detailed entry on the

IPS Concept Guide 5

IPS DETECTION METHODOLOGIES

threat encyclopedia and CVE-ID references. After selection, administrators can assign associated actions
such as monitoring, blocking, or resetting the session.

See Configuring an IPS sensor.

W ith the FortiGuard IPS service deployed as part of your broader security infrastructure, Fortinet can
analyze and deploy new intrusion prevention signatures in near real-time for coordinated network response.
Fortinet develops these signatures from several products, such as FortiW eb’s web application firewall and
FortiClient’s vulnerability scan. Multiply this workflow across Fortinet’s global customer base and you have a
network effect that accelerates protection faster than ever.

Statistical anomaly-based detection

Statistical anomalies are data instances which fall outside an expected range or differ greatly from most
data. For example, you expect a host to initiate a TCP session with one or possibly a few TCP SYN packets. If
a host sends several hundred TCP SYN packets in a short period, this is considered a statistical anomaly.

Statistical anomaly-based detection randomly samples network traffic and compares samples to
performance level baselines. W hen samples are identified as being outside the baseline, the IPS triggers an
action to prevent a potential attack. FortiGate rate-based IPS signatures protect networks against
application-based Denial of Service (DoS) and brute force attacks. Administrators can configure IPS

IPS Concept Guide 6

IPS TYPES

signatures and tune them to their needs. You can assign a threshold (incidents per minute) and action to
take when the threshold is reached to each signature.

See DoS policy.

Behavioral analysis detection

Network detection and response combines artificial intelligence-based, human, and behavioral network
traffic analysis to look for signs of malicious activity. Once identified, security teams can react quickly and
accurately, enabling an effective response across your environment. FortiInsight is an example of this threat
hunting type.

IPS types

There are four noteworthy types of intrusion prevention systems (IPS). Each type has its own unique
defense specialty. These consist of the following:
l NIPS on page 7
l W IPS on page 8
l HIPS on page 8
l NBA on page 9

NIPS
A network-based intrusion prevention system (NIPS) is a type of security solution that is designed to protect
networks by monitoring and analyzing network traffic in real-time for signs of malicious activity.

IPS Concept Guide 7

IPS TYPES

NIPS is typically deployed at the network perimeter where it can monitor all incoming and outgoing network
traffic. It can analyze network packets at wire speed and block or prevent suspicious traffic in real-time.
NIPS solutions use various techniques to detect and prevent attacks, including signature-based detection,
behavioral analysis, and anomaly detection. You typically place a NIPS at key network locations, such as
Internet-facing critical assets, legacy software systems, and between segments, where it monitors and
scans for cyber threats.

WIPS
A wireless intrusion prevention system (W IPS) is a security solution type that is designed to protect wireless
networks by monitoring and analyzing wireless traffic for signs of malicious activity. Like a network-based
intrusion prevention system, W IPS uses signature, behavioral, and anomaly-based detection methods.

HIPS
A host-based Intrusion Prevention System (HIPS) is a security solution type that is installed on individual
hosts (servers or endpoints) to monitor and analyze their activity for signs of malicious behavior.

HIPS solutions are typically installed as software agents on individual hosts and can detect and prevent a
wide range of host-based attacks, including malware infections, privilege escalation attacks, unauthorized
access, and data theft. HIPS solutions can also detect and prevent attacks that exploit vulnerabilities in
operating systems and applications. These systems, such as FortiEDR, can even block zero-day attacks
using their machine learning next generation antivirus.

IPS Concept Guide 8

IPS TYPES

NBA
Network behavior analysis (NBA) is a security solution type that is designed to monitor and analyze network
traffic to detect and prevent security threats based on their behavior. NBA solutions can detect both known
and unknown threats by analyzing patterns and anomalies in network traffic. FortiSIEM and FortiXDR bring
together visibility, correlation, automated response, and remediation in a single scalable solution.

IPS Concept Guide 9

IPS use cases
You must implement the intrusion prevention system (IPS) in the traffic flow so that it can prevent
suspicious packets from reaching their destination. If you are using an intrusion detection system, there is
more flexibility in the location, since the IPS can receive a copy of the traffic for the primary purpose of
analysis and reporting.

W hen implementing IPS profiles, Fortinet recommends to tune the sensor to reflect
the environment it protects. This involves selecting only signatures which match the
services and devices it is meant to protect and adjusting thresholds for selected
anomalies to suit your environment.

IPS use case Deploy IPS...

Perimeter protection At the network edge to provide protection against external attacks.

W ithin a datacenter to protect critical servers and applications against

Datacenter protection
internal and external attacks.

W ithin an internal network to provide protection against lateral

Internet network protection
movement by attackers to prevent spread of malicious activity.

W ithin cloud environments, such as public or private cloud

Cloud protection environments, to provide protection against cloud-based threats,
including account takeover and data breaches.

For a deeper understanding of IPS use cases, see the IPS Architecture Guide.

IPS Concept Guide

Conclusion
This document examines different intrusion prevention system (IPS) methodologies and types and
introduces at a high level how Fortinet products implement IPS to protect against malicious threats.

The FortiGate IPS engine is a highly effective intrusion detection and prevention solution. It is designed to
secure a user’s system from end to end and ensure that users are equipped to handle even the most
sophisticated threats. Organizations across a wide variety of industries trust Fortinet IPS to help them
prevent unwanted intrusions from harming their networks.

Some ways that organizations can benefit by choosing to deploy Fortinet FortiGate IPS include:

Benefit Details

IPS is highly flexible in that it is truly agnostic. It is capable of operating

across a wide variety of devices and environments. Any network, cloud, or
Flexibility device type that an organization wants to protect can run IPS. Users do not
need to buy any other solution to enable this to operate in the way that they
need.

IPS provides a complete protective package without requiring users to

Reliability
sacrifice speed. It allows for quick threat identification and remediation.

IPS scans for threats on a deeper level than more traditional software might.
It penetrates the uppermost layer of a network and identifies vulnerabilities
that might not be easily spotted. It scans the entire network to give
administrators a full understanding of the potential threats that they might
Vulnerability scanning and have to address. IPS can immediately prevent the points of vulnerability
patching from being exploited, known as virtual patching, giving administrators the
time and opportunity to update the vulnerable systems. In addition to
protecting other devices on the network, virtual patching can also be
applied to FortiGates directly to protect management access to the
FortiGate from being exploited.

Using the IPS engine, you can ensure that only a specific protocol is allowed
Protocol enforcement
on a specified port. For example, HTTPS on port 443.

IPS can help to meet many of the compliance requirements specified by PCI,
Compliance requirements
HIPPA, and others.

On purpose ASIC design like CP9/CP10 works to offload complex regex

ASIC performance
matching and signature pre match capabilities to increase performance.

IPS Concept Guide

Benefit Details

FortiGate IPS serves as one component of the Fortinet kill chain.

l Protect: by keeping up to date with FortiGuard IPS signatures, the
FortiGate can protect your network and systems from exploitation from
the latest malware and vulnerabilities.
l Detect: to further understand and analyze the effects of an exploit,
vulnerability or outbreak, systems such as FortiAnalyzer can be used to
Kill chain
perform Threat Hunting and Outbreak Detection.
l Respond: different methods such as using automated playbooks can
automate the incident response. Subscribing to SOC services can also
help alleviate the investment needed to build a response system.
l Recover: to prevent future occurrences, implement security awareness
and training and additional security hardening.

IPS Concept Guide

More information
Appendix A: Documentation references

Feature documentation
l FortiOS Administration Guide:
l Protocol enforcement
l Intrusion prevention
l Virtual patching on the local-in management interface
l Virtual patching
l IPS solution brief
l W ireless Intrusion Detection System
l FortiInsight Cloud Administration Guide
l Fortinet kill chain

Solution hub
l NGFW 4-D Resources

IPS Concept Guide

 www.fortinet.com

Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common
law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance
and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether
express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-
identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in
the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or
otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

01-74-908315-20240313