Opinion: Network Intrusion Prevention Isn't a This-Generation Technology
Modernizing Authentication — What It Takes to Transform Secure Access
You've got firewalls and VPN concentrators at the very outside. You've got intrusion detection and prevention, virus scanners, e-mail security devices, and boxes to do network access control and content filtering. Of course you might have outsourced some services, such as e-mail hygiene. But others really need to be done at your actual network perimeter.
And all these boxes run in-line, creating a tenuous physical architecture, potential points of failure and multiple potential performance bottlenecks, but, as Arlo Guthrie said, that's not what I came here to tell you about.
I came to talk about the toughest job in the whole perimeter: the intrusion prevention system, or IPS. It turns out that the IPS not only has the most difficult job performed at the network perimeter, it's not generally taken seriously.
The IPS at the network perimeter evolved out of the IDS (intrusion detection system), which scans network traffic looking for signs of attack and reports them. IDSes developed the reputation of bombarding administrators with reports, very few of which really needed to be dealt with.
IPSes, like IDSes, are driven by attack signatures for which they scan the traffic. An IPS goes a step further: It not only scans for attacks, but also attempts to block them. There's another type of IPSa host-based IPSwhich runs on a computer and attempts to block attacks aimed at that specific computer.
Unsurprisingly, network IPSes suffer from all the problems of network IDSes: Depending on how you tune them, they are prone to false positives and have the potential to slow all network traffic. Host-based IPSes have a significant advantage: Since they run on the computer they're protecting, they have the ability to monitor the state of that system and the context of the attack.