Amazon.com just posted my four star review of Intrusion Prevention and Active Response. From the review:
"Intrusion Prevention and Active Response (IPAAR) is a good book, as long as you confine your expectations to open source solutions. The foreword says 'Security professionals are going to be approaching management for funding in the next year or two to procure intrusion prevention devices, especially intelligent switches from 3Com (TippingPoint), as well as host-based intrusion prevention solutions like Cisco Security Agent, Platform Logic, Ozone, or CrossTec.' This foreword was the first time I had heard of several of these products, but unfortunately none of them receive any coverage at all in IPAAR. Aside from a short discussion of the Enterasys Web IPS, eEye's SecureIIS, and improvements in Microsoft IIS 6.0, IPAAR squarely concentrates on open source products. Nevertheless, the book does a better job covering so-called prevention solutions than the previous book with 'prevention' in the title, e.g., Osborne's Intrusion Detection and Prevention."
Regular blog readers know I consider network-based "intrusion prevention systems" to be layer 7 firewalls. If a network-based device is making an access control decision, it is a firewall. Generically speaking, any device which makes access control decisions is a policy enforcement system (PES?). We simply have a popular name for a PES that operates at the network level -- it's a firewall. Just as network PES enforces policy on packets, a host PES enforces policy on system calls and other operating system activities. I think host PES accurately describes Niels Provos' Systrace, which "enforces system call policies for applications by constraining the application's access to the system." I'm not sure that host PES accurately describes the stack-smashing protector, aka ProPolice.
I would like nothing better than to completely abolish the term "intrusion prevention system." Isn't every part of the security process trying to prevent intrusions? I think well-written code, or at least applying patches, is the best way to prevent intrusions to systems exposed to hostile users. Does that mean Windows patch management is an intrusion prevention system? Argh.