6) Denial-of-service protection. Your IPS should provide protection against illegal input and traffic flood DoS (denial of service) attacks without disturbing legitimate network traffic. Connection flood or Web service starvation attacks are typical examples of distributed DoS (DDoS) attacks. TCP SYN flood attacks are stopped by blocking the incoming connection attempts from spoofed address sources under an attack and preventing them from reaching the target system. Your IPS must quickly identify the spoofed connection sources and block them, while allowing valid user connections to pass through. UDP flood DoS attacks are controlled by rate limiting the incoming UDP datagrams against the protected Web service. [Also see: "How cybercriminals and hactivists use DDoS tools to attack"]
By using correlation techniques in detecting suspicious behavioral patterns in Web service communication when the botnet host has been identified, the IPS blocks the malicious host communication for the Web service.
7) Central management capabilities. Central management is essential for IPS security because it allows you to manipulate your system without having to manually touch every single remote location to make a change. Central management typically lets you monitor and manage appliances and components with options that may include alerts, security content updates, appliance updates, firewall and intrusion prevention settings. As a result, there is less administrative time devoted to network security, incident and log management operations and the integration with other security components to enforce immediate threat mitigation policies or software updates.
8) Performance. Your IPS could affect your network if it is not implemented properly or if the IPS product is poorly architected. Look for the ability to use clustering to share processing connections, thus enhancing performance and reducing downtime. The deployment of the components of your IPS could also minimize the risk of performance degradation. The IPS should capture and analyze traffic, so it is best to separate the analysis component onto a dedicated system. Ask your IPS vendor how to best deploy your IPS with the least impact on your network performance. Also, ask about how signatures and other context information are analyzed to see if performance is an issue.