In the earlier section, we spent considerable time understanding NIDS. This has built a solid foundation, which we will find useful when moving on toward understanding NIPS.

Unlike a NIDS, which is a passive system, a NIPS is an active system that monitors network traffic and takes immediate preemptive action when a threat is detected. Intrusions are normally followed very quickly by vulnerability exploits. These are usually in the form of a malicious injection of data into an application or service with the objective of interrupting and gaining control of a machine or application. This could result in a denial of service (disabling applications or services), misusing existing privileges (rights and permissions) or escalating them for misuse, and gaining control of systems or resources.

In the information security world, most exploits come with an expiration date. This is because the moment an exploit has been identified, software vendors rush to patch it, signature-based IDS / IPS / security product vendors race to identify and remediate it, and every network administrator worth his salt moves to protect his/her network against it.

Hence, we see that unless a specific vulnerability is rapidly exploited, it will become inaccessible as an attack vector. Thus, in the world of digital intruders, time is of the essence. In such a situation, the NIPS plays a critical role in a network's defense line-up.

Usually, the NIPS is positioned directly behind the Internet-facing firewall. As this is inline, it actively analyzes all network traffic and takes automated action on traffic entering the network by dropping packets with malicious content.

Some of the actions that a NIPS takes are as follows:

Some of the key areas that a NIPS has to address are as follows: