Because targeted crack attacks on enterprises’ networks have been increasing in recent years, intrusion prevention is gaining greater importance for companies. Thus, companies are tending to shift from the time-consuming process of detecting intrusions and having security administrators react manually to them to implementing automated mechanisms found in Intrusion Prevention Systems.
Research firm Gartner Inc. has defined three criteria for providing a useful network- and host-based intrusion-prevention application: (1) It must not disrupt normal operations—meaning that when it is put online, an intrusion-prevention system must not place unacceptable or unpredictable latency into a network. A host-based intrusion-prevention system should not consume more than 10% of a system’s resources so that network traffic and processes on the servers can continue to run. Blocking actions must take place in real time or almost-real time, with latencies placing in the tens of milliseconds rather than in seconds. (2) It must block exploits using more than one algorithm—to operate at the application level as well as at the firewall-processing level. (3) It must have the capability to ascertain “attack events” from “normal events.”
As intrusion-prevention systems continue to evolve, their capacities will also improve. They will be better able to identify and therefore block significantly more crack attacks than today’s intrusion-prevention systems can. Because firewalls are not 100% effective, trained analysts will continue to have to flag and more thoroughly investigate suspicious traffic activity.
Pescatore, J. Enterprise Security Moves Toward Intrusion Prevention. [Online, September 25, 2003.] CXO Media. Inc. Website. http://www.csoonline.com/analyst/ report1771.html.