Until 2004, intrusion prevention was primarily hype. As recently as June 11, 2003, when the famous Gartner "IDS Is Dead" report was released, following its advice to give up on your IDS and trust in the latest generation of "intrusion prevention" firewalls was almost impossible because the IPS products were still too immature and firewalls were not sufficiently advanced to run within internal networks in a blind and unprotected manner. Although the criticisms of IDS were certainly truethey have a high false-positive rate and can be bandwidth challengedthat did not support the conclusion of investing in a better firewall.
However, no one can deny that this paper was the nexus of a lot of change, especially in the IDS industry. The most positive effect was a significant improvement in false-positive handling. NFR started working on a network intrusion prevention system (NIPS); SoureFire ditched Snorty the pig and became Realtime Network Awareness (RNA), a passive sensor and visualization tool company in terms of primary internal focus. Symantec and Enterasys were quick to point out the Gartner report was simplistic; you really should buy both an IDS and an IPS, and you should buy both from them. And, of course, every firewall vendor, no matter how lame, immediately found a way to get intrusion prevention onto its home page somehow. The entire industry reformed itself in a year's time, but not always for the better.
Today, we have an industry where everyone has a product labeled "intrusion prevention." However, there is no definition of what intrusion prevention is. It is no longer just hype; there are some powerful trends afoot, even though the functionality provided by industry products varies significantly. Therefore, as we work our way through the chapter, we will classify the products into two major groups: