The Next Step
: Intrusion Prevention Systems"> Intrusion prevention systems (IPS) were developed to alleviate this. IPS technology takes IDS one step further by not only letting you know when there is an attack, but also attempts to redirect the attack away from vital network assets. Although firewalls, IDS, IPS and even anti-virus tools perform an important security function on the network, they require an incident to occur before they jump into action. Look at them as the firefighters of network security - when the fire starts, youll definitely want to have them around.Prevention is the Key With the evolution of network security, new approaches have emerged which focus on prevention. Much like with the proven model of fire safety, being proactive is the key. Vulnerability management (VM) and vulnerability assessment (VA) are focused on providing organizations with the intelligence required to stop attacks before they even start. While VA technology identifies threats by scanning the network, VM takes this one step further by also managing the process of eliminating the threats. The approach used in VA and VM technology is particularly effective as the majority of attacks are preventable. In fact, the CERT® Coordination Center (CERT/CC) reports that 99 percent of attacks target vulnerabilities for which there are known countermeasures. VA and VM technologies automate the discovery and elimination of these vulnerabilities - effectively reducing the risk of successful attack by 90 percent or more. The primary benefit of these proactive technologies is that they enable your organization to mitigate risks to network security in a controlled and measured way. Much like fire inspections where investments are made upfront to ensure buildings are up to code, proactive security technologies such as vulnerability management enable you to identify your risks and predictably eliminate them. There is a clear financial benefit from this approach - proactive security is predictable and easily budgeted for; reactive approaches alone leave you open to major and unpleasant surprises. One of the biggest challenges with VA and VM, as well as the other security solutions discussed earlier, is that most products are standalone. This means that while you may have all the right technology, it can be difficult to fully understand the big picture. The good news is that the network security industry is moving towards making the concept of integrated and intelligent security architecture a reality. Already, we are seeing VM systems being used to correlate data from other systems, extending the intelligence of IDS, IPS and firewall offerings. Next page: Integrated Products Are Better
However, by taking a reactive approach only, it is very easy to become overwhelmed. Take the Great Chicago Fire of 1871; most of the city burned down because firefighters simply could not handle the magnitude of the fire. In much the same way, if you use only reactive technologies, you run the risk of not being able to respond either fast enough or comprehensively to all the threats to your network.