22.3. Network Intrusion Prevention Systems
Finding possible intrusions is helpful to a system administrator who wants to learn what the bad guys are up to and take action, manually, to improve the network's defenses. However, even the best administrator can't react instantly or be available to respond to new threats 24 hours a day. Moreover, by the time a NIDS has noticed a problem, some damage may already be done. As a result, there's an even more powerful tool, a network intrusion prevention system, or NIPS. A NIPS relies on the same infrastructure as a NIDS but adds a component: a hook that ties into a system that can cut off an attacker's access, such as a firewall or router. An administrator can typically configure a NIPS such that whenever malicious traffic matching a certain description or level of severity appears, a new firewall rule is added or other appropriate action is taken to protect the network automatically.
Unlike a NIDS, which can sniff network traffic from anywhere on the network, a NIPS — or at least the component that does the blocking of network traffic — must reside in a device that's logically between the outside world and the local network. So, for example, a Mac that uses software to act as a NIPS could be connected between the gateway or firewall and a router that mediates Internet access for the rest of the network, or it can be the same Mac that functions as a network firewall; but one way or another, the NIPS can't block network traffic unless the ...
Get Mac® Security Bible now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
