Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27039:2015 — Intrusion Prevention Systems (IPS): Selection, Deployment and Operations
Comprehensive guidelines for deploying and managing network-based and host-based intrusion prevention systems
ISO/IEC 27039:2015 provides essential guidelines for the selection, deployment, and operation of intrusion prevention systems (IPS) within organizational networks. As cyber threats grow increasingly sophisticated, a well-designed IPS has become a cornerstone of defense-in-depth security architecture. This standard offers a comprehensive framework that helps security professionals evaluate their network environments, select appropriate IPS technologies, and maintain effective threat detection and prevention capabilities over time.
This standard complements ISO/IEC 27001 and ISO/IEC 27002 by providing specific technical controls for intrusion detection and prevention. Organizations implementing an Information Security Management System (ISMS) should consider 27039 as a key implementation guideline for operational security monitoring.
IPS Architecture and Deployment Strategies
The standard defines two primary categories of intrusion prevention systems: Network-based IPS (NIPS) and Host-based IPS (HIPS). NIPS monitors network traffic in real time, analyzing packets as they traverse critical network segments, while HIPS operates on individual endpoints, monitoring system calls, file system access, and application behavior. The selection between these types depends on the organization’s threat model, network topology, and performance requirements.
ISO/IEC 27039 emphasizes a structured deployment methodology that begins with a thorough risk assessment and network architecture review. The standard recommends deploying IPS sensors at network perimeter boundaries, between security zones, and in front of critical server farms. For organizations with high-availability requirements, inline deployments with fail-open mechanisms ensure that IPS failures do not create network outages.
| Deployment Mode | Advantages | Disadvantages | Recommended Use Case |
|---|---|---|---|
| Inline (active prevention) | Real-time blocking, true prevention capability | Potential latency, single point of failure | Perimeter defense, data center protection |
| Passive (monitoring only) | Zero network impact, easier deployment | No active blocking, alert-only response | Internal network monitoring, compliance auditing |
| Tap/SPAN (out-of-band) | Complete traffic visibility, no interference | Cannot block attacks inline, switch port dependency | Forensic analysis, traffic baselining |
| Hybrid (inline + monitoring) | Best of both modes, flexible response | Higher complexity, increased management overhead | Large enterprise with dedicated security teams |
When deploying NIPS in inline mode, always configure a heartbeat monitoring mechanism and fail-open behavior. An improperly configured inline IPS can become a network bottleneck or, worse, a denial-of-service vector if it crashes under load. Test fail-over scenarios regularly as part of your incident response drills.
Detection Methodologies and Response Mechanisms
The standard details three fundamental detection methodologies that modern IPS implementations should combine for maximum effectiveness. Signature-based detection compares network traffic against predefined patterns of known attacks, offering high accuracy for known threats with minimal false positives. Anomaly-based detection establishes a baseline of normal network behavior and flags deviations, making it effective against zero-day exploits and novel attack patterns. Stateful protocol analysis examines network protocol behavior against established RFC standards, detecting protocol-level violations and sophisticated application-layer attacks.
IPS response actions defined in ISO/IEC 27039 range from passive logging and alerting to active countermeasures including session termination, traffic throttling, address blacklisting, and dynamic firewall rule modification. The standard emphasizes that response automation must be carefully calibrated to avoid disrupting legitimate business operations, recommending a graduated response strategy where initial alerts are reviewed before enabling automated blocking.
Modern IPS platforms that combine signature-based and behavioral detection achieve detection rates exceeding 99% while maintaining false positive rates below 1%. This layered approach is particularly effective against advanced persistent threats (APTs) that rely on legitimate credentials and encrypted channels to evade traditional signature-only detection.
Performance Tuning and Operational Considerations
ISO/IEC 27039 dedicates significant attention to the operational aspects of maintaining an effective IPS deployment. Performance tuning is critical: an IPS that cannot keep pace with network throughput will drop packets, creating security blind spots. The standard recommends sizing IPS appliances to handle at least 120% of peak throughput, accounting for the processing overhead of full packet inspection, protocol decoding, and signature matching.
Regular signature updates, rule set optimization, and false positive reduction are essential maintenance activities. The standard advises establishing a formal change management process for IPS rule modifications, including staged rollouts, impact assessment, and rollback procedures. Additionally, regular testing through penetration testing and red team exercises helps validate IPS effectiveness and identify configuration gaps.
| Maintenance Activity | Frequency | Impact on Security Posture |
|---|---|---|
| Signature database update | Daily (or on-demand for critical CVEs) | Protection against newest threats |
| False positive review and tuning | Weekly | Reduces alert fatigue, improves SOC efficiency |
| Rule set optimization | Monthly | Removes obsolete rules, improves performance |
| Full rule audit and cleanup | Quarterly | Aligns protection with current threat landscape |
| Penetration testing validation | Semi-annually | Validates detection coverage and response accuracy |
Never deploy an IPS with default rule sets in a production environment without thorough testing. Default configurations frequently generate excessive false positives that desensitize security teams, and may block legitimate traffic. Always conduct a phased rollout — start in monitoring mode, analyze alerts, tune rules, and only then enable active prevention on critical assets.
Consider implementing a Security Information and Event Management (SIEM) system alongside your IPS deployment. Correlation of IPS alerts with firewall logs, authentication records, and endpoint detection data significantly improves threat detection accuracy and enables faster incident response through centralized visibility.
Frequently Asked Questions
Q: What is the difference between IDS and IPS as defined by ISO/IEC 27039?
A: An Intrusion Detection System (IDS) monitors and alerts on suspicious activity but does not take active action to block threats. An Intrusion Prevention System (IPS) builds on IDS capabilities by actively blocking or preventing detected threats in real time. ISO/IEC 27039 covers both IDS and IPS (collectively IDPS) but places special emphasis on the additional operational considerations required for inline prevention.
Q: Can IPS effectively detect threats in encrypted traffic?
A: ISO/IEC 27039 acknowledges this as a significant challenge. Modern IPS platforms support SSL/TLS decryption inspection, but this introduces privacy concerns, certificate management overhead, and performance impacts. The standard recommends selective decryption based on traffic classification, risk assessment, and compliance requirements rather than blanket decryption of all traffic.
Q: How does ISO/IEC 27039 relate to other information security standards?
A: ISO/IEC 27039 is a guideline standard within the ISO/IEC 27000 family. It provides specific implementation guidance for the intrusion detection and prevention controls referenced in ISO/IEC 27002 (control 12.6.1 and 12.7.1). Organizations certified to ISO/IEC 27001 will find 27039 essential for designing and operating their security monitoring and incident detection capabilities.
Q: What are the recommended sizing considerations for an enterprise IPS deployment?
A: The standard recommends sizing for at least 120% of peak throughput with headroom for signature complexity increases over time. Key factors include: total bandwidth requirements, number of concurrent sessions, protocol complexity (HTTP/HTTPS, SMTP, DNS inspection depth), and whether SSL decryption is required. For data center deployments, consider appliances rated for 10Gbps or higher with dedicated processing ASICs.
