An Intrusion Prevention System (IPS) is a security control designed to both detect and actively prevent malicious network activity. Unlike an Intrusion Detection System (IDS), which only monitors and alerts, an IPS must be able to block or drop traffic immediately when a threat is identified. This functional requirement directly determines the appropriate traffic integration method.
Inline deployment places the IPS directly in the path of network traffic, meaning all packets must pass through the device before reaching their destination. This positioning allows the IPS to inspect packets in real time, compare them against known attack signatures, and take immediate action such as dropping packets, resetting connections, or blocking traffic altogether. Because the requirement explicitly states that suspicious traffic must be blocked in real life, inline integration is mandatory.
The other options do not meet the operational requirements of an IPS. Traffic mirroring (SPAN) sends a copy of traffic to a monitoring device but does not allow the IPS to influence or stop traffic flow. Network TAPs also duplicate traffic for analysis but are passive by design and incapable of enforcing security decisions. Passive deployments, by definition, only observe traffic and generate alerts without prevention capabilities.
Placing the IPS inline behind the DMZ firewall and before the core switches ensures that malicious traffic can be stopped before it reaches internal network resources. This approach aligns with cybersecurity operations best practices for protecting sensitive network segments such as the DMZ.
Therefore, inline traffic integration is the correct and verified solution.
