Hello,
The intrusion prevention system (IPS) is the Symantec Endpoint Protection client's second layer of defense after the firewall. The intrusion prevention system is a network-based system. If a known attack is detected, one or more intrusion prevention technologies can automatically block it.
For example, it can prevent clients from writing files to a USB flash drive. Intrusion prevention also work as IDS. Policies are enforced by TruScan. The IPS functionality acts as a first line of defence against network based attacks.
Intrusion Prevention System technology significantly increases the level of protection that Symantec Endpoint Security gives to your network. You should always have IPS enabled on your network
Intrusion Prevention System technology is strong, effective technology that prevents malicious files from getting to your hard drive in the first place
Unlike antivirus, which looks for known malicious files, IPS scans the network traffic stream in order to find threats using known exploits and attack vectors. IPS does not detect specific files, but rather specific methods that can be used to get malicious files onto your network. This allows IPS to protect against both known and unknown threats, even before antivirus signatures can be created for them.
In Symantec Endpoint Protection 12.1, the client firewall function is separate and does not need to be installed or enabled for IPS to function.
Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347
Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained
http://www.symantec.com/docs/TECH104434
Hope that helps!!