Network and System Security: Chapter 2. Preventing System Intrusions

Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion prevention systems (IPSs) focus primarily on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IPSs have become a necessary addition to the security infrastructure of nearly every organization. IPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IPS stopping the attack itself, changing the security environment (reconfiguring a firewall), or changing the attack’s content. This chapter describes the characteristics of IPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed.