November 26, 2012, 2:41 PM — This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
An intrusion prevention system (IPS) includes all the features of an intrusion detection system but also has the ability to act upon malicious traffic. Since the IPS usually sits in line with network traffic it can shut down attacks, typically by blocking access from the attacker or blocking access to the target. In some cases, the IPS can talk to the firewall to block an attack.
Here are 10 issues that every IPS should address in order to ensure your network as safe as it can be:
1) IDS, IPS and hybrid modes. Your IPS should be multifunctional so you can deploy it depending on your exact need. In the IDS mode, the device is passively monitoring network traffic. In the IPS mode, the device is configured in the traffic path. IDS and IPS should both be able to restrict traffic by sending resets or requesting a firewall or inline IPS to isolate the segment from other networks using blacklisting. The IPS mode is also effective in blocking attacks if you can identify a clear threat path -- for example, traffic from the Internet to a DMZ segment. In the hybrid mode, the same device is configured to function in both modes and using the same device in both modes is an efficient and cost-effective solution for smaller implementations.
2) AET protection. Advanced evasion techniques (AETs) are real and are currently used by NSS Labs and other organizations to test security vendor products. In its latest report, Verizon said that in 31% of attacks against large organizations, an attack vector remained unknown. Analyzing AETs requires inspecting and normaling all data streams, but 95% of organizations are not doing that. Most current security devices cannot flag or log AETs separately. At best, they may report anomalies or suspicious traffic.