Intrusion Prevention Systems (IPS) in firewalls follow amulti-step processto detect and mitigate threats. The steps occur in a logical sequence:
1️⃣Step 1: Identifies and Parses Application-Layer Protocols
The firewall firstidentifies the protocol being used(e.g., HTTP, FTP, DNS, SMTP).
Parsing the protocol helps the IPS engineunderstand how the data is structuredand what types of attacks might be embedded.
This step is crucial for detectingprotocol-based attackslike SQL injection or cross-site scripting (XSS).
2️⃣Step 2: Reassembles IP Fragments and TCP Flows
Attackers oftensplit malicious payloads across multiple packetsto evade detection.
The firewallreassembles fragmented packets and TCP flowsto reconstruct the full data stream.
This step is critical for detectingevasion techniques such as fragmented attacks or out-of-order packet attacks.
3️⃣Step 3: Performs Signature Matching
Once the full data stream is reassembled, the IPScompares it against known attack signatures.
Signature matching helps detect:
Malware patterns(e.g., botnets, Trojans).
Exploits targeting vulnerabilitiesin software and operating systems.
Firewalls usepredefined signature databasesthat are regularly updated.
4️⃣Step 4: Performs the Response Action Based on the IPS Profile
If an attack is detected, the firewall takes anaction based on the IPS policy:
Block the traffic(drop malicious packets).
Alert the administrator(generate logs and alerts).
Rate-limit traffic(slow down potential attack sources).
Theresponse mechanism is customizablebased on security requirements.
