Get Your Shields Up!

The company still uses its antivirus software to block bugs already discovered. But the Cisco Security Agent is "an added layer of defense for us," Swanson says.

Intrusion-prevention systems are not entirely new. About five years ago, startups such as Entercept, Intruvert, Okena, and OneSecure all launched first-generations systems, and larger security vendors quickly acquired these companies.

Now the market is crowded with vendors, such as Check Point Software Technologies, Cisco, Internet Security Systems, Juniper, McAfee, and Symantec, that have already incorporated intrusion-prevention capabilities into their firewalls, antivirus apps, and intrusion-detection systems, or are beginning to do so. There's also a number of smaller startups, including Determina, Platform Logic, Sana Security, and TippingPoint, that provide gear with various types of intrusion-prevention capabilities for PCs and network traffic.

Typically, intrusion-prevention systems can be thought to run in two modes. In passive mode, they act like conventional intrusion-detection systems and set off alarms when attacks are under way. In prevention mode, however, they can be set to decide which types of traffic and attacks to block. But prevention mode has some security-professionals wary because it can create false positives that alert administrators to attacks that aren't really attacks and then automatically block the allegedly bad traffic. That means legitimate traffic could be blocked.

"I've had customers tell me that if 1% of legitimate traffic is blocked that we could come back and pick up our box," says Parveen Jain, executive VP of marketing and strategy at McAfee.

The fact that intrusion-prevention systems might block legitimate traffic doesn't phase Chris Schuler, director of the security operations center with the U.S. Army Reserve Command. The command uses intrusion-prevention systems from McAfee to protect its critical networks and servers.

It took about three months for McAfee's Intruvert network intrusion-prevention system to learn the normal behavior of the command's network and more actively block attacks. "When security alerts [are sent out], we know what anomalies they're referring to and we can make better decisions," Schuler says. The U.S. Army Reserve Command has McAfee's intrusion-prevention systems deployed at key locations, including its data centers, he adds.

The Philadelphia Stock Exchange Inc. is using intrusion-prevention software from V-Secure Technologies Inc. as an electronic watchdog to keep its growing number of Web applications safe. "It's the first thing Web-site visitors encounter," says Bill Morgan, CIO at the stock exchange. "It helps to make sure there are no unauthorized accesses, that nothing out of line gets through." The V-100 protects the stock exchange's systems from denial-of-service attacks and IP-spoofing attacks. It also can block attacking Internet addresses and enforce rules that determine which users can access which applications.

For many, intrusion-prevention systems are a necessary tool in the fight against growing threats and attacks, and the technology has proven its mettle. "We've only had one machine get hit since we've bought this," says Daniels Trading's Swanson. "That's because we didn't install it on that system."