TABLE OF CONTENTS The best way to prevent intrusion is to never deploy vulnerable software. Unfortunately, this goal is not achievable because of the scores of new vulnerabilities being announced every day in all sorts of software, but their comparatively more powerful counterparts in the world of intrusion prevention have not enjoyed nearly as widespread deployment.
Intrusion detection systems (IDS) are very useful as an indispensable part of a security administrator s toolset, but their comparatively more powerful counterparts in the world of intrusion prevention have not enjoyed nearly as widespread deployment.
If there is one constant in the world of intrusion detection and by extension intrusion prevention, it is the need for constant tuning, reviewing, and monitoring to ensure proper operation.
After a software vulnerability is announced, there may be significant lag time between the announcement and the availability of a patch to fix the problem. In the meantime, how can security be maintained? An IPS allows for granular decisions to be made about the types of interactions allowed to take place on a host or network, and in the case of vulnerable software that must remain accessible, may provide one of the only means to enhance security. For example, an application layer attack (such as a buffer overflow) against a Web server will be allowed through by a stateful firewall that does not process Application-layer data. A network IPS can block packets and/or sessions that contain such malicious Application-layer content.
This chapter outlines the general capabilities of active response systems and...
