Research firm Gartner Inc. has defined three criteria for providing a useful network- and host-based intrusion-prevention application: (1) It must not disrupt normal operationsÂ—meaning that when it is put online, an intrusion-prevention system must not place unacceptable or unpredictable latency into a network. A host-based intrusion-prevention system should not consume more than 10% of a systemÂ’s resources so that network traffic and processes on the servers can continue to run. Blocking actions must take place in real time or almost-real time, with latencies placing in the tens of milliseconds rather than in seconds. (2) It must block exploits using more than one algorithmÂ—to operate at the application level as well as at the firewall-processing level. (3) It must have the capability to ascertain Â“attack eventsÂ” from Â“normal events.Â”
As intrusion-prevention systems continue to evolve, their capacities will also improve. They will be better able to identify and therefore block significantly more crack attacks than todayÂ’s intrusion-prevention systems can. Because firewalls are not 100% effective, trained analysts will continue to have to flag and more thoroughly investigate suspicious traffic activity.
See Intrusion Prevention in Computer