What’s more, HIP systems truly are the last line of defense. "They only function when things have gotten seriously out of hand," says Martin Roesch, founder and CTO of security services provider SourceFire. "Every car should have airbags, but wouldn’t it be nicer to avoid the accident in the first place?" Still, for providing an additional layer of security on critical hosts, HIP is a compelling option.

Network-Based Protection

In general, network systems sit "in line," intercepting network traffic, scanning it for suspicious activity, and either blocking it or passing it along. Such systems use a range of techniques, from IDS-like signature scanning (looking for telltale strings of bytes) to protocol anomaly detection (figuring out when a packet of data is trying something not ordinarily permitted by its data transmission protocol).

Some network intrusion prevention systems take more devious approaches to network protection. ForeScout’s ActiveScout, for instance, responds to suspicious activity (such as port scanning) by sending a specially coded, "tagged" response. If the attacker then tries to act on the tagged information, ActiveScout immediately recognizes that an attempted attack is in progress and can shut off the connection before any damage occurs.

Network-based intrusion prevention can be useful in situations where host-based protection is impractical and firewalls aren’t effective—for instance, against attacks that originate within your own network. University of Dayton Associate Provost and CIO Thomas Danford, like many higher education IT executives, has to deal with students bringing worms and viruses onto the internal network regularly. "Before you know it, we’ve got worms slamming around all over the place," says Danford, who calculates that the university receives 3,200 attacks on an average day. The solution: TippingPoint’s UnityOne IPS, which Danford installed behind the firewall to shut down suspicious traffic. When the Slammer worm hit in January, says Danford, "we didn’t experience any problems at all."

Many IT managers, however, are reluctant to trust network-based intrusion prevention, in part because of the risk of service interruption. If your IDS misidentifies legitimate traffic, the false alarm is merely annoying; but an IPS that shuts down a customer connection by mistake could hurt your bottom line. "When people need to get to your system to trade, a couple of seconds of downtime could get you a seriously irate customer," says a chief security officer at a financial services company who declined to be named. "For automated blocking, we think [intrusion prevention] systems are not mature enough to rely on yet."