Best practices regarding Intrusion Prevention System technology

book

Article ID: 177797

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have Symantec Endpoint Protection. You need to know whether you should enable Intrusion Prevention System (IPS).

Resolution

Note: To quickly check if the system in question is configured according to this best practice, download and run SymDiag.

Intrusion Prevention System technology significantly increases the level of protection that Symantec Endpoint Security gives to your network. You should always have IPS enabled on your network.
 

What does Intrusion Prevention do that Antivirus protection does not?

Antivirus technology is strong, effective technology that protects your computer from files that are on the hard drive. Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place.

Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.

For example, the Downadup/Conficker worm uses a known vulnerability, the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, to spread to unpatched computers. When the worm was released, antivirus technology could not stop the infection until virus definitions were written for the file. Since IPS already had signatures for the RPC Handling vulnerability, however, computers running IPS were protected before the worm was ever released.

IPS is very good at detecting "drive-by" downloads of malware and fake antivirus scanner web pages, which Auto-Protect cannot prevent. In today's complex threat environment, this technology is an effective complement to antivirus technology, and its usage should be considered a necessity on any network that is connected to the Internet.

IPS and servers

IPS is fully compatible with Windows server operating systems. For more information on the limitations of IPS on high availability/high bandwidth SEPMs, see Best practices for Endpoint Protection on Windows servers.

Installing IPS on your network

If you do not have IPS installed on the clients on your network, you can use Symantec Endpoint Protection Manager to add the feature to managed clients, or use Add or Remove Programs to add IPS to unmanaged clients. For instructions, read the document How to add or remove features to existing Symantec Endpoint Protection client installations.