In this lesson, I'll talk about Intrusion Prevention Systems. Intrusion Prevention Systems are almost like intrusion detection, except, well, they're preventing something from happening rather than just detecting it. So, by the end of the lesson, I want you to understand, and you'll be able to tell me, what Intrusion Prevention Systems do, and you'll be able to categorize the systems based off of what they do as well, such as network, and host-based, and physically-based systems as well. So, what is intrusion prevention? Just like intrusion detection, just a little tweak here. The definition is going to be, detecting actions and events that attempt to compromise confidentiality, integrity and availability of assets and resources, and then take action based off these signatures. This can be network-based, host-based or physically-based as well, just like Intrusion Detection Systems. In the previous lesson, I said they're always watching. Well, now, they're always watching and protecting you as well. So, Intrusion Prevention Systems are designed to monitor, alert and be the gatekeeper for systems. They are active. They understand what to look out for. They have signatures to look at everything that is passing through their system. They are typically signature-based, but they also can use heuristics as well to detect something that might be malicious. They must be real-time, inline. Whereas, before the intrusion detection, they could be out-of-band. In order to prevent something from happening, they have to be in the way. Just like somebody standing in your way. Can you go right through them? No. You have to go around them and to bypass them. You can't get any way around it. In Intrusion Prevention System, you have to go through it because it's trying to prevent you from doing something. Now, this can be trickier because we have the traffic flow flowing right through that Intrusion Prevention System. Now, if a system fails, the traffic then stops flowing. This is one of the downsides of Intrusion Prevention Systems. Now, what if they may fail open, meaning that they'll allow anything through, a lot of Intrusion Prevention Systems actually stop the flow of traffic because they're meant to go right through that appliance or hardware. Network-based Intrusion Prevention Systems can be hardware or software. However, in larger networks, we're going to see this more in hardware. They're dedicated appliances. They can be built into bastion hosts as application level Intrusion Prevention Systems or multi-layer firewalls as well. Organizations that have intrusion prevention often have large networks, whereas, our Intrusion Detection Systems may be just in software because we don't have the resources to manage a large dedicated device. Prevention must be inline to be the most effective. Now, there are other ways to do intrusion prevention which Snort can actually do in an intrusion detection sense by sending TCP resets out-of-band. However, this is not done commonly because of passing information between systems. Mostly, they are going to be performed by hardware Intrusion Prevention Systems. Now, we have our firewall and Intrusion Prevention Systems as one of the gatekeepers in our network. It's on our, well, it is a border firewall, has 10 gig of traffic going through it. But, it's pretty costly as well. Now, Host-based Intrusion Prevention Systems, or HIPS, are designed to look at, again, the entirety of a system, just like Intrusion Detection Systems. Now, they also monitor different aspects of a system just like intrusion detection as well. It lives as an application. But, software can monitor every aspect of the system and stop activity if it realizes that it's under attack. It can look at the threats. Now, software can also be sandboxed as well, or virtualized as to not infect the host system. We see this in quite a bit of browsers as of late, like Google Chrome is a good example, where they sandbox or even, some of the software applications out there sandbox the application and anything running through it, so it doesn't affect your main operating system. Physically-based Intrusion Detection Systems, or Intrusion Prevention Systems are really not like detection systems. They are anything that stops someone from doing harm. Electric fence is a good example of an Intrusion Prevention System. It's probably not practical for everybody to house their entire data center around electrical fence. But, there are also other ways to do it as well. Doors, gates, anything that is preventing somebody to break in and not alarm, but actually preventing them from doing harm, is a Physically-based Intrusion Prevention System.
