Intrusion-prevention systems can reduce the urgency to patch. "Before, when a patch came out, we had to rush around and get all of these patches in place," UC Berkeley's Chamberlain says. "Now, I can read a Microsoft alert and nine times out of 10, Okena already is blocking it." The university will extend Okena's software to about 100 servers and 100 desktops this year.

Entercept's software has helped make patching more manageable for Bill Stevenson, New Century Mortgage Corp.'s information security officer. He installed Entercept 2.0 about a year ago. "If a new buffer overflow attack comes out, we know we're going to stop it even before we apply patches," Stevenson says.

Intrusion-prevention systems aren't perfected. Getting them to recognize proper and improper behavior can be difficult. Some security experts complain that the software goes into action during completely legitimate operations, such as when applications are changed on production servers, and that limits the software's use on networks. Chad Harrington, Entercept's security-products director, promises the tools will become simpler to manage over the next two years, and eventually "intrusion-prevention applications will require no user interaction."

If intrusion-prevention systems reach that level of sophistication, they'll put information-security pros more at ease when the next big worm attacks, like Stevenson was with Slammer. While many security managers worked around the clock to rid systems of Slammer, he spent the weekend at home with friends. Says Stevenson, "I didn't lose any sleep." -with Martin J. Garvey