Practically speaking, this is a pretty thin layer of protection, because it has to handle client- and server-side attacks, random file formats and e-mail attachments, encryption, segmentation, custom applications, and arbitrary protocols that your hardware-based protocol analyzers cannot know how to interpret beyond a simple regular-expression-analysis capability. True proactive security means you must block identifiable threats as well as enforce security policy so as to reduce exposure in the first place -- in addition to detecting change that indicates compromise independent of threat detection. A proactive security solution should also be able to defeat a threat emerging from any point on the network, not just pre-identified ingress/egress points. Most IPS companies ignore these points, leading end-users to believe that traditional, stand-alone IPS technology is capable of proactively protecting assets throughout the network, even though they have no context about the systems they are trying to protect. This positioning is not only false; it’s unfair to the end-user.
MWL: To be as polite and as succinct as possible: You are simply misinformed. I would strongly recommend you take a closer look at the state-of-the-art IPS. You’d be surprised to find several significant differences from your perception and reality.
Very accurate filters can be written based on vulnerability information, not exploit information. That is the definition of proactive protection: customers are protected before the attack (exploit) exists in time and space. These filters precede the existence of an exploit and proactively protect against any exploit targeting that vulnerability. You are, however, correct that writing good filters takes extensive research, requires very sophisticated skills and testing, and is an enormous differentiator between the various IPS solutions that exist today.
It’s typical for software-solution vendors to misrepresent a hardware solution as fixed and inflexible. Again, this is misinformation or, in the best case, laziness. Reality is that any hardware design -- for example, a CPU -- consists of hardware building blocks like the arithmetic control unit, the floating point unit, or another component that specializes in accelerating a particular operation. Specialization does not stop it from being programmable or flexible. A common, simplistic, and naïve perspective of IPS implementation would assume that each protocol is hard-coded into the hardware. State-of-the-art systems don’t do that at all. They boil down the problem into building blocks that are much more general and serve to accelerate processing for the specific task at hand.
Beyond vulnerability filters, IPSes use network profiling to characterize a particular network environment to determine what is “normal” behavior in that environment. Deviations from what is normal (without any knowledge of an exploit or vulnerability) can be alerted on, blocked, or throttled. Protection based on deep understanding of baselines and changes in network behavior is proactive by any definition.
Intrusion prevention has reached the point where the technology has been tested extensively and is now broadly deployed by hundreds of Fortune 500 customers worldwide. Talk to them. Start at the very top of the list.