Can intrusion prevention systems alone prevent botnet attacks?
Are IPSes the best way to counter botnet attacks? Are there other methods we should use in our enterprise environment to protect against these threats?
Network-based intrusion prevention systems
offer some defenses against botnets
, but they are only one piece of the puzzle. Many modern IPSes have signatures for some popular bots' control traffic, and the systems can alert you when bots are trying to poll for an attacker's commands. Other IPSes go further, blocking the botnet control traffic that they detect. It should be noted, however, that network-based IPSes have signatures only for the most popular bots, but not all of the bots out there, so further defenses are required.
Host-based intrusion prevention systems are another layer of defense. These tools limit the various applications running on your system, blocking their ability to interact with the underlying kernel. Some bots function, however, by installing themselves inside of other legitimate applications, using them to undermine the system and potentially fly below the radar screen of your host-based IPS.
Therefore, in addition to network- and host-based IPSes, you should also make sure you have thoroughly deployed antivirus, antispyware and host-based firewalls. By operating on all of these fronts, you can dramatically lower the threat posed by your environment's bots.
Learn why you shouldn't toss host-based intrusion prevention systems out of your network security strategy just yet.
See which intrusion prevention/detection tools were nominated for Information Security magazine's 2007 Readers' Choice Awards.
This was first published in February 2007