>Firewalls have traditionally been used to “wall off” the enterprise from computer attack, but now intrusion-prevention systems are augmenting the organization’s defenses.
The Wall Street Journal, 28 January 2008 reports that “intrusion prevention systems promise an even smarter defense” than firewalls.
Firewalls are intended to keep intruders out. However, because certain traffic, such as email, needs to get through, holes or open ports allow in traffic that can carry viruses or malware into the network.
Intrusion-prevention systems work differently—they don’t wall off the enterprise networks like firewalls, but rather like a metal detector, they filter or scan every piece of traffic entering the organization for suspicious activity, and reject any item that is identified as a threat.
According to Wikipedia, Intrusion prevention systems (IPS)… [are] a considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done.
Intrusion-prevention systems can be hardware that is physically attached to the network or software that is loaded onto individual computers.
Are intrusion-prevention systems really necessary?
Yes. “According to the Computer Security Institute 2007 Computer Crime and Security Survey, the average annual loss suffered by U.S. companies from computer crime more than doubled last year to $350,424 from $168,000 in 2006. And these reported losses tend to underestimate the number of attacks.”
Gartner analyst recommends antivirus on PCs and an intrusion –prevention system on the network.
Are there any problems with intrusion-prevention systems?
One of the biggest issues is false positives, which if not adjusted for will block desired incoming traffic. One way to handle this is to use the intrusion-prevention system to “detect threats and flag them,” rather than simply block them altogether. Additionally, the organization can adjust the filters that they may not need. This is the tuning required to ensure performance in terms of network speed and an appropriate level of filtering.
If your organization is not using an intrusion-prevention system, this is something your enterprise architecture needs to plan for and implement ASAP.