From Intrusion Prevention and Active Response: Deploying Network and Host IPS
Introduction
The best way to prevent intrusion is to never deploy vulnerable software. Unfortunately, this goal is not achievable because of the scores of new vulnerabilities being announced every day in all sorts of software, but their comparatively more powerful counterparts in the world of intrusion prevention have not enjoyed nearly as widespread deployment.
Intrusion detection systems (IDS) are very useful as an indispensable part of a security administrator s toolset, but their comparatively more powerful counterparts in the world of intrusion prevention have not enjoyed nearly as widespread deployment.
If there is one constant in the world of intrusion detection and by extension intrusion prevention, it is the need for constant tuning, reviewing, and monitoring to ensure proper operation.
After a software vulnerability is announced, there may be significant lag time between the announcement and the availability of a patch to fix the problem. In the meantime, how can security be maintained? An IPS allows for granular decisions to be made about the types of interactions allowed to take place on a host or network, and in the case of vulnerable software that must remain accessible, may provide one of the only means to enhance security. For example, an application layer attack (such as a buffer overflow) against a Web server will be allowed through by a stateful firewall that does not process Application-layer data. A network IPS can block packets and/or sessions that contain such malicious Application-layer content.
This chapter outlines the general capabilities of active response systems and...
Products & Services
Topics of Interest
Introduction Network devices have been inspecting packets for as long as packets have existed. Traditionally, routers and firewalls look at headers and protocol information to make forwarding...
Introduction Host integrity monitoring intersects many areas of security, including intrusion detection, change management, security administration, and intrusion prevention. To effectively monitor...
Introduction This chapter explores the concept and implementation of inline Application-layer data modification, and provides several motivating examples for why this technique provides an effective...
Introduction This chapter discusses a pervasive two-pronged problem that plagues nearly all intrusion detection systems (IDS ) false positives and false negatives and shows that this problem can...
Introduction Intrusion prevention systems (IPS ) combine the best features of a firewall and an Intrusion Detection System (IDS) not only to detect attacks, but also to prevent them. One important...
