Introduction

The selling point of Intrusion Prevention Systems (IPS ) is that their technology thwarts attacks on networks by removing malicious packets before they inflict damage. As mentioned in Chapter 3, Intrusion Detection System (IDS) platforms are plagued by false positives and high alarm loads, which will make life difficult for those organizations looking to IPS for help. When an IPS is deployed, several prerequisites must be met:

• A Change of Paradigm Must Take Place. The security team is on call to assist the operations team in finding a solution to any problem.

• The Deployment Must be Adequately Planned. An inline device functions identically to a router, switch, or firewall in that the smallest misconfiguration or problem can take down an entire network. One simple rule that operations staffs learned long ago is: Proper Prior Planning Prevents Poor Performance

• Welcome to the Change Control Board. Most large organizations have a Change Control Board (CCB) that is responsible for signing off on network alterations from access control list (ACL) changes to entire infrastructure modifications. The management of inline devices requires that the security team communicate any changes that affect network access or performance. One solution could be a daily host/network block list, shared by operations and security, where more permanent changes are placed into a firewall or ACL, while daily changes are left in the IPS rules.

• How Does an IPS Fail Open or Closed? There are two types of failure mode: open and closed.