Introduction

So far, we have discussed intrusion prevention in the context of the network. You have seen how Intrusion Prevention Systems (IPS ) can be deployed to attempt to stop suspect network traffic from reaching its intended destination, but you also know that current IPS technology is far from perfect. Given the rate at which security problems are reported in server software such as Internet Information Server (IIS) and Apache, it would be foolish to believe that every last vulnerability has been extinguished, and that no more will appear. A network or application IPS can do a fine job at turning away connections that carry payloads known to be malicious, but what about the next zero-day attack? In January 2003, the Structured Query Language (SQL) Slammer worm was unleashed, targeting machines running Microsoft s SQL server. It was so effective that it spread across the Internet in minutes, and according to one report (see http://whirlpool.net.au/article.cfm?id=_1064&show=replies), indirectly led to the disabling of 5 of the Internet s 13 root-level name servers. Intrusion Detection Systems (IDS ) were powerless. As a security professional, it makes sense not to put all of your eggs in one basket. Several competing and complementary technologies exist that can be deployed on host machines, that aim to provide a layer of protection against mischief and malice that may be your last line of defense. In this chapter, we look at these technologies. We show you how these technologies do their job, the kinds of attacks they can help to prevent, and...