Chapter 8. Intrusion Prevention
The world of intrusion detection is starting to change. People are interested in not only detecting attacks, but preventing them. This shift of focus has led to the development of a new class of security tool, the Intrusion Prevention System (IPS). While the term IPS bears the strong odor of a marketing department, the concept is attractive.
Some of the solutions on the market (advertised as IPS) are really just network IDS installed locally on servers and workstations throughout the enterprise, but some are truly designed to detect and prevent intrusions. There are several intrusion prevention strategies being developed and deployed, including host-based memory and process protection mechanisms, session interception (sniping), and network firewall/gateway solutions. The Honeynet project has done some great work with Snort Inline and similar technologies in their second generation Honeypots. You can look at their work at http://project.honeynet.org.
Intrusion Prevention Strategies
Several intrusion detection strategies have been developed, including:
- Host-based memory and process protection
Systems for monitoring process execution and killing processes that appear malicious; for example, processes that are trying to execute a buffer overflow. These tools are interesting, but not particularly related to Snort.
- Session interception
Terminates a TCP session by sending an RST (reset) packet. When the flexible response plug-in is enabled, Snort can automatically ...
Get Managing Security with Snort & IDS Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.