Three years ago, Entercept (a company now acquired by Network Associates) introduced to the world a unique host security approach. It enveloped the operating system kernel within a security layer, which intercepted system calls and evaluated these against a database of attack signatures and behaviours. Depending on the nature of the system call, the Entercept security layer either permitted or terminated the request, thereby preventing both known and unknown attacks such as buffer overflows, privilege escalation, and Blaster-like worm attacks.

Thus was born 'intrusion prevention', which soon became the buzz in security tools. Today, not only do intrusion prevention systems increment security like other tools — they, indeed, take security to the next higher level!

An Intrusion Prevention System (IPS) can provide security at the most fundamental levels: the operating system kernel and the network data packet. It can also cater for, and overcome the failure of traditional security tools to proactively counter 'unknown' attacks.

As per a 2002 CII-PwC security survey of Indian companies, unknown attacks that exploit newly discovered vulnerabilities in OS are the biggest cause of security breaches in organisations. Countering such attacks requires continual patch updating, which is difficult and cumbersome to say the least, unless organisations deploy automated patch updating solutions such as PatchEasy, UpdateExpert etc.

Since the IPS provides protection against both known and unknown attacks, an organisation's systems remain sufficiently sheltered while they await deployment of a new patch, plugging a just-announced vulnerability. The fact that IPS fosters the capability of being able to prevent unknown attacks is more than adequate recommendation for organisations to snap it up.

IPS made its entry as if on cue — just as the murmur of growing disenchantment with IDS was turning into a chorus. While IDS does notify administrators of attacks, it does nothing to thwart these. That is simply not good enough for weary administrators who want to say "don't tell me — just fix it!" Well, IPS proactively does that.

This disillusionment with IDS is furthered by the ineffectiveness of firewalls to prevent application-layer intrusions, and attacks that originate inside the network. Again, IPS obviates this inadequacy by providing efficient application layer security and internal network traffic monitoring.

Intrusion prevention systems fall into two categories — host-based intrusion prevention (HIP) products such as Entercept, and the newer network-based intrusion prevention (NIP) products like IntruShield. An HIP product protects servers and hosts through software agents that sit between applications and the OS kernel. It intercepts system calls on the lowest level (such as disk read-write requests, network connection requests, and attempts to change the registry or write to memory) and either allows or denies the activity based on predetermined rules. For example, unless permitted, an application would not be able to modify certain files or change data in the system registry.

In addition to a database of known attack signatures, HIP systems also have an inbuilt database of generic attack behaviours. Therefore, they can block generic malicious activity such as rewriting OS executables or establishing unauthorised network connection, even without predetermined rule-sets or signatures. The end result is that most intended exploits simply wouldn't work. Attackers might be able to get past network defenses and find their way to a server, but would not be able to do anything once they got there.

Network intrusion prevention products, are typically situated 'in line' — eminently positioned to intercept network traffic, and scan it for suspicious activity through deep packet inspection, and then either block it or let it through. Network IPS products use a range of techniques, from IDS-like signature scanning (looking for telltale intrusion patterns in strings of bytes) to protocol anomaly detection (looking to see if a packet of data does anything not ordinarily permitted by its data transmission protocol).

Network-based systems block worms that pass through their filters, eliminating Nimda-like malicious worm outbreaks within the enterprise network. Some even proactively 'go after' attackers by sending 'tagged' responses to network probes, and permanently block those who use the tagged information to connect.

Clearly, in an unbounded world where network perimeters are obsolete, and where the distinction between insiders and outsiders is diffused, traditional security tools fall short. In this world, IPS is the new crown jewel of enterprise security!