Intrusion Prevention and Active Response

From the Foreword by Stephen Northcutt, Director of Training and Certification, The SANS Institute Within a year of the infamous "Intrusion Detection is Dead" report by Gartner, we started seeing Intrusion Prevention System (IPS) products that actually worked in the real world. Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially Intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone or CrossTec. Both managers and security technologists face a pressing need to get up to speed, and fast, on the commercial and open source intrusion prevention solutions. This is the first book-length work that specifically concentrates on the concept, implementation, and implications of intrusion prevention and active response. The term IPS has been thrown around with reckless abandon by the security community. Here, the author team works to establish a common understanding and terminology, as well as compare the approaches to intrusion prevention. Transition from Intrusion Detection to Intrusion PreventionUnlike IDS, IPS can modify application-layer data or perform system call interception.Develop an Effective Packet Inspection ToolboxUse products such as the Metasploit Framework as a source of test attacks. Travel Inside the SANS Internet Storm CenterReview packet captures of actual attacks, like the "Witty" worm, directly from the handler's diary. Protect Against False PositivesRemember that, unlike an IDS, an IPS will REACT to an intrusion. Integrate Multiple Layers of IPSCreate a multivendor defense at the DataLink, Network, Transport, and Application layers. Deploy Host Attack Prevention MechanismsIncludes stack hardening, system call interception, and application shimming. Implement Inline Packet Payload AlterationUse Snort Inline