System protection and network protection solutions are an important piece of implementing a comprehensive security solution. Hackers are smart, creative people. They have spawned hundreds of attacks designed to exploit known vulnerabilities in machines and applications. Many of these exploits are so common that they are often referred to as well-known attacks. Network perimeters are becoming increasingly porous which means that interaction between internal and external systems is occurring via multiple communications paths. These paths often bypass the classic firewall route. With the proliferation of sophisticated attacks and the discovery of new vulnerabilities, new methods are needed to protect precious data and network resources. Enhanced security at multiple levels and multiple points of corporate systems is necessary.

Traditionally, firewalls and anti-virus programs are used to block attacks, and intrusion detection systems (IDSs) identify attacks as they occur. Such techniques are crucial to network security, but have limitations. Intrusion detection system undoubtedly uses a database of defined signatures for matching strings against well-known attacks. But the clever hacker knows this, and continues to beat IDS by crafting attack variants to beat signature strings, or developing attacks that exploit new vulnerabilities. A firewall can stop attacks by blocking certain port numbers, but it does little to analyze traffic that uses allowed port numbers. IDSs can monitor and analyze traffic that passes through open ports, but do not prevent attacks.

No security solution is complete unless it can actually stop attacks. Accurate detection is the foundation for the rich set of real-time intrusion prevention. Selecting best of breed Intrusion Prevention system is a critical security decision but following are the few attributes essential for ensuring your security delivers peace of mind.

Accuracy, accuracy and more accuracy
Accuracy is at the heart of an IDS solution because it reduces both false alarms and the chances of missing real attacks. Poor accuracy will quickly corrode and debilitate network security.

Prevention, not just detection
Prevention is accomplished through the combination of the following IPS requirements:

Broad attack coverage
No single technique or technology is the magic bullet that guarantees protection against current or future attacks. IPS must provide broad coverage against known, unknown (first strike), and DoS attacks using signature detection, anomaly detection, and DoS detection. Uniting the three methods in one IDS solution enables the correlation of attack detection across the various methods and increases accuracy.

IPS should also include detection and prevention of the following threats:

Analyze all relevant traffic
IPS must have the capability to use a broad range of data capture modes to ensure that all relevant traffic is accessible for detection and prevention. To this end, IPS must support a wide variety of deployments, work within different topologies, and deal with switched and encrypted traffic. It must monitor hubs or mirror (SPAN) ports of switches, passively tap into full-duplex Ethernet links, intercept and examine traffic in-line, and work with 802.1Q VLAN Ethernet networks.

Highly granular detection and response
IPS must support highly granular detection and response capabilities, whereby specific attacks on a specific host can be detected and a specific response can be enacted. The granularity is a prerequisite to security policy enforcement and control. The lack of such granularity has led some enterprises to erroneously make automated policy enforcement decisions that resulted in disastrous DoS conditions for their partners and employees. Highly granular detection and response includes the capability to apply a unique detection and response policy to a single host, subnet, functional unit, or geographical unit.

Flexible policy management
IPS must allow for maximum policy flexibility and granularity to ensure complete and accurate detection and prevention. A single policy does not work and scale for today's enterprise networks. Granular policy management allows you to segment your traffic into logical groupings and then detect specific attacks and spell out specific responses for these logical groups.

A policy must be customizable to each network and should not rely on only a single policy per sensor. Finally, the policy must have rich attributes that the user should be able to configure and must be based on intuitive rules.

Scalable threat management
IPS must scale and be responsive under heavy loads to support an increasing number of sensors, monitored traffic, and alert processing rates. A scalable management system reduces the burden of managing a large number of sensors by using automated, user-policy-driven signature updates and delegating management resources to appropriate users using role-based access control.

IPS management should allow secure Web-based management of an IPS system deployed throughout the enterprise network. The management system must provide a comprehensive platform for IPS configuration, policy management, and threat and response management functions. Security professionals should be able to perform these tasks remotely to eliminate the need for physical access to the management system or sensors.

Sophisticated forensics and reporting
Powerful forensic management based on data fusion provides the necessary infrastructure to support incident analysis and management and must be an essential element of any IPS. Forensic management provides the intelligence to inspect incidents and to extract summarization alerts for effective follow-ups, be it system hardening or criminal prosecution. To collect complete forensic information surrounding a security event, next-generation IPS should capture and log packets before, during, and after an attack. It must be able to roll all related alerts into a larger, meaningful incident (alert aggregation) or link alerts and events over time (alert correlation). IPS must also support extensive and user-customizable reporting.

Maximum sensor uptime
Reliable sensors are necessary to ensure real-time detection and prevention. Uptime should be similar to other security and networking devices, such as firewalls, switches, and routers. Software sensors running on general-purpose computers; however, lack the reliability of a purpose-built appliance. In addition, configuring computer-based IPS requires the added burden of hardening the operating system with the latest security patches to correct discovered security flaws. IPS should be built on a reliable, hardened, appliance-based sensor architecture managed by a centralized management system.

Wire-speed performance
To meet the computational demands of multi-gigabit in-line IDS, sensors must rely on high-performance processors to meet packet-processing rates and per-packet latency requirements. As a necessary condition for complete detection coverage, the sensor must be capable of seeing all the traffic on its monitoring ports under the most stringent bursty conditions.