A major component of Host IPS is the host firewall. Like all modern host-based firewalls, Host IPS uses an NDIS intermediate driver to perform network filtering operations at packet level.

When Host IPS is installed, the insertion of the firewall’s NDIS driver causes Microsoft Windows to tear down and rebuild the IP stacks on connected interfaces. This behavior causes some applications to generate error messages or lose connection during the temporary loss of connectivity.

Previous versions of Host IPS used firewall-hook drivers, which didn't cause this temporary disruption. But, Microsoft actively discourages use of the older technique in its developer guidance.