Network Intrusion Detection and Prevention?

c0dyd asks: "Lately, computer attacks have gained much popularity in the news; however, it is not often that we hear of new software, hardware or 'appliances' that combat malicious code attacks and data intrusions. Obviously, the need is present. I've searched thoroughly for network intrusion detection and prevention systems, but the choices and technologies seem somewhat limited or proprietary-- Snort appears an obvious open source solution for intrusion detection but many users many find it lacking in intrusion prevention capabilities. What do you, the experienced network admin, use for detecting intrusions on the network and how does your network react to those intrusions?"

intrusion prevention

[uqbar]

Real prevention is a double edged sword. To really prevent an attack, your device needs to sit in line - or it reacts too late. As such you introduce latency, and the more sophisticated you get, the more the time spent on analysis before the traffic is allowed through. NIDS and HIDS analyse after the fact, so they have the luxury of time since they aren't in line with your traffic. If you have good event correlation, you can raise alerts to appropriate support personnel. But all these don't directly prevent attacks - they just let you know to respond to an attack.

Companies like Tipping Point have devices that claim to do intrusion prevention with low latency - I'd test that claim before purchase, but the demo I saw seemed to indicate it was worth checking out.