Chapter 8. Intrusion Prevention

The world of intrusion detection is starting to change. People are interested in not only detecting attacks, but preventing them. This shift of focus has led to the development of a new class of security tool, the Intrusion Prevention System (IPS). While the term IPS bears the strong odor of a marketing department, the concept is attractive.

Some of the solutions on the market (advertised as IPS) are really just network IDS installed locally on servers and workstations throughout the enterprise, but some are truly designed to detect and prevent intrusions. There are several intrusion prevention strategies being developed and deployed, including host-based memory and process protection mechanisms, session interception (sniping), and network firewall/gateway solutions. The Honeynet project has done some great work with Snort Inline and similar technologies in their second generation Honeypots. You can look at their work at http://project.honeynet.org.