Introduction

Intrusion prevention systems (IPS ) combine the best features of a firewall and an Intrusion Detection System (IDS) not only to detect attacks, but also to prevent them. One important distinction to make is the difference between intrusion prevention and active response. An active response device dynamically reconfigures or alters network or system access controls, session streams, or individual packets based on triggers from packet inspection and other detection devices. Active response happens after the event has occurred, thus a single packet attack will be successful on the first attempt, and blocked in future attempts. While active response devices are beneficial, this one aspect makes them unsuitable for an overall solution. Network intrusion prevention devices are typically inline devices on the network that inspect packets and make decisions before forwarding them on to their destination. This type of device has the ability to defend against single-packet attacks on the first attempt by blocking or modifying the attack inline. System or host intrusion prevention devices are also inline at the operating system (OS) level. They have the ability to intercept system calls, file access, memory access, processes, and other system functions to prevent attacks. There are several methods of intrusion prevention and active response technologies including the following:

• Application Shims This type of intrusion prevention strategy provides data input validation and memory protection at the application level. Memory protection consists of a mechanism to prevent a process from corrupting the memory of another process running on the same...