IPSs provide a proactive component that integrates very effectively into your overall network security framework. Combining Intrusion Prevention with other security components, such as an IDS and perimeter firewalls, provides a robust defense-in-depth network security solution. Intrusion Prevention technology enables you to stop intrusion traffic before it enters your network by placing the sensor as a Layer 2 (Ethernet layer) forwarding device in the network. Some of the common dropping actions that IPS provides include the following:
One of the main benefits of Network Intrusion Prevention is the ability to stop intrusive traffic from reaching the target system. Other key benefits include the following:
Network Intrusion Prevention is not without its limitations, such as monitoring traffic between all the hosts on a single subnet. These limitations, however, usually can be mitigated by incorporating Intrusion Detection and host-based analysis in addition to simply using Network Intrusion Prevention. A hybrid IPS provides you with the ability to perform IPS and IDS functionality using the same sensor. Some of the capabilities shared by both IPS and IDS systems include the following:
Alerts indicate that events are occurring on your network. IP logging enables you to record the intrusive activity that is occurring on your network. Most intrusion systems provide IP logging functionality that falls into several categories, such as the following:
Resetting TCP connections enables your intrusion system to forcibly terminate TCP connections when intrusive activity is detected. This functionality has limited effectiveness because the attack might have already succeeded in compromising the target system before the connection is reset. IP blocking is a reactionary response that prevents traffic from an attacking system for a configured period of time. An intrusion system usually provides the following IP blocking options:
|