The purpose of this paper is to identify the problem facing the network security community regarding vulnerabilities and patches. It explains why current security technologies such as firewalls, intrusion detection and prevention systems, and automated patch management solutions have failed in preventing vulnerabilities from being exploited. Finally an alternative approach is proposed that incorporates and builds upon existing security technologies.
The standard doctrine for network security states that the best practice for securing computer networks is a layered approach. Hardening the operating systems and applications on computers by limiting the services offered as well as installing the appropriate patches is the first step. Setting up access control to limit incoming traffic both at the boundary routers as well as through the use of firewalls comes next. The final step involves the use of intrusion detection and prevention systems to identify attackers and prohibit their access to the network.
Read the full paper in PDF format here