• Security Engineer
• Calling All C++ & AI Game...
• Business Development Manager...
• 1st / 2nd level Help Desk -...
• Project Manager - Permanent...

Preventive measures

Brian Fonseca, Information Age

18/06/2003 16:42:22

Security customers aren't the only ones debating whether IDSes (intrusion prevention systems) can deliver on their promises of preventative security -- IDS vendors are also trying to figure out how to deal with a technology that threatens the core of their business strategy.

Indeed, the supremacy of IDSes is being tested by security customers' demands for a faster, more efficient, and proactive form of intrusion prevention for their networks. Complicating matters, customers are experiencing difficulty in discerning between true IPSes (intrusion prevention systems) and watered-down versions, as well as considering the complexity of marrying in-line IPS with various network processes.

But there's no mistaking the attractive glow of intrusion prevention that works -- IT still salivates over the idea of preventing attacks before they become enterprise-wide disasters, although they are more cautious about putting too much trust in security systems that make large promises. As IPS technology matures, security experts predict that IDS and firewall protection will eventually become one, IPS appliances will multiply, and traffic inspection and switch hardware vendors -- such as Cisco, F5 Networks and Nortel -- stand poised to claim the IPS crown.

Prevention gets the nod

Some analysts, including Gartner, are advising customers to hold off on making large network IDS investments in favour f investigating the merits of IPS. For organisations already bound to IDS investments and drowning in false-positive returns, they should look to security management vendors such as ArcSight and NetForensics to restore control, says John Pescatore, VP of Gartner.

"We think IDS is dead. It's failed to provide enterprise value," Pescatore says. "In order for it to survive, it has to go faster, at wire speed, and it has to solve the false-alarm problem."

False alarms - a notorious bane of IDS - can be a troublesome burden when the lack of internal security expertise and ever-tightening budgets push security event prioritisation to the forefront. IPS cuts down on false positives by being in-line, incorporating stateful signature through session inspection, and multiple algorithm methodologies including protocol and packet identification to uncover sudden or extreme traffic pattern changes (such as in a denial of service attack) or changes against a set policy.

"Sometimes people will take every single positive and vulnerability and try to address it, and it may not be a necessity, especially these days when you have streamlined staff," says Qualys customer Pjay Castro, senior network engineer at Tower Records. "We need to concentrate on what could affect us."

The scramble by security vendors to institute successful IPS is buoyed by a number of devastating security breaches and costly virus cleanups during the past year to 18 months -- events that became the last straw for many customers. After being paralysed by attacks such as Nimda, Klez, and Code Red, Tom Danford, CIO of the University of Dayton, Ohio, says his organisation realised that an active defence system was critical to its future.

"We were hit by all those [viruses], and it brought the university to its knees on a couple of occasions," Danford explains. "We had classes that were affected and a large expense in paying people to clean up the machines and damage. There's also all that lost time and productivity. We decided that prevention was going to keep our security where we wanted it to be."

With more than 10,000 total students connecting their PCs and laptops into the school network on and off campus, Danford wanted an IPS offering capable of actively looking for suspicious activity on the network, blocking it, and allowing for later inspection inside the firewall. In December, the university deployed IPS vendor TippingPoint Technologies' network-based Unity2000 device, which searches for and pushes threat profiles to the appliance, on a trial basis. So far, the results are promising: Despite running multiple Microsoft SQL servers on campus, the Slammer worm did not impact any of the university's systems.

TippingPoint's UnityOne IPS product features a security processing engine consisting of network packets and capable of processing all header information in packets at very high speeds. To successfully stop computer attacks by dropping packets as soon as a threat is detected, an IPS solution must be part of the network infrastructure with microsecond latency, says Marc Willebeek-LeMair, CTO of TippingPoint.

"Because IPS has two letters in common with IDS, we're always thought of as the next generation of that product line, and we're actually very different," adds Willebeek-LeMair. "Attacks are not just perimeter-based but also internal. IPS is effective when you can put it into your network fabric and block attacks coming at it from any direction. It's not just your WAN access point anymore."

Not all peaches and cream

IPS may be making headlines, but some IDS stalwarts such as Internet Security Systems (ISS) question the forecast abandonment of IDS and customers' need to achieve greater network protection speeds.

"Just because you put a lock on your front door doesn't mean you throw out the burglar alarm system," says Chris Klaus, CTO of ISS. "When you look at what people are connecting to the Internet with, it's nowhere near gigabit."

However, there's no denying that IPS is putting pressure on the IDS market to take a good look at its own strategies. Klaus says ISS, for one, is moving from a reactive to a proactive security mantra through its heavy managed services initiative by keying on servers, desktops, OS log analysis and forensics information.

Having been burned before on complicated security projects and unfulfilled promises of other "silver bullet" security fixes such as PKI, IPS faces an enormous challenge to win over sceptical customers, says Lloyd Hession, chief security officer of Radianz, a financial services extranet. The complexity associated with deeper inspection and sitting directly in the line of traffic means an IPS solution can't just be dropped in and plugged in, but must become yet another element in a potentially congested network.

"The mantle has been passed to new IPS products, but the problem is the risk of these products, and the downside is they're potentially dangerous because they are more complex and in-line," Hession explains. "Once you introduce into a production environment another single point of failure, a device that is no longer passive, then the reliability of your whole production environment is potentially impacted by that device that is in-line."

According to Hession, IPS has not had nearly the amount of time needed to "work out the kinks" and develop maturity -- but neither has IDS.

"The problem the security industry has at the moment is that these are not integrated enterprise solutions," he adds. "These are point solutions which are incremental, and have costs that CIOs must face. It's a challenge. We can't keep going down the path with point products."

IDS in the hot seat

Further muddying the IPS waters, Pescatore notes an alarming level of "snake oil" IPS solutions, in which IDS-oriented vendors adopt a new IPS identity that does not properly address IDS' problems. For instance, he believes that reducing false alarms is critical but not at the expense of impeding legitimate traffic. This requires a security mixture of algorithms, signatures, stateful protocol analysis, behaviour-based methodology, and correlation among other network areas - a mixture found more often in IPS solutions.

"What we think will happen, by the end of next year, is that IPS will really have impacted the firewall and IDS market," Pescatore remarks. "That's when Cisco would swoop in, maybe a CheckPoint, but people like Nortel and F5 -- even Nokia -- will be going after this market by some real high-end, multigigabit products sold to carrier-class networks." In turn, he says IDS vendors must embrace the dawn of IPS and morph their offerings into firewall schemes; those who don't accept IPS are living on borrowed time.

Hession also sees firewalls, IDS and IPS as complementary components of a security strategy; dropping IDS completely would be a bad idea without a great firewall in place, but the advantages of IPS mean IDS' role in the enterprise will change.

"If companies go with IPS, is this a replacement for a firewall? My answer is absolutely not," explains Hession. "Firewalls are tuned and built and designed to do a type of filtering and screening and access control, IPS and IDS are not."

F5 already envisions itself becoming the control plane of IPS, allowing customers to block traffic while F5 partners serve as the interface to communicate with F5's BIG-IP product and become the control plane of IPS, says Erik Giesa, senior director of product management at Seattle-based F5.

Meanwhile, Cisco has been much more aggressive about its IPS intentions, bolstered by the purchase of host-based IPS vendor Okena earlier this year. Other acquisitions also play into a vision of converged network and security services: The hardware maker's purchase of Psionic is designed to reduce false positives and its scalability push is evidenced by its recent Catalyst IDS module announcement.

"Our customers have told us for some time that although they understand intrusion prevention, they don't yet trust the technology to act autonomously and take actions for them to make the right decisions on good and bad traffic," explains John McFarland, manager of security appliances for the VPN and security business unit at Cisco.

The benefits of IPS are clear, but its true test will be in living up to its promise in dealing with real-world security threats. IPS' home for now is in stand-alone appliances and solutions, but the reactions of IDS vendors show that IPS' future likely lies in an integrated solution, whether it be an IDS-IPS combination, a firewall, or another piece of infrastructure.

"What you're asking of IPS technology is to sit in the network, make decisions, and affect packet flow, which are all functions of a network device," McFarland says. "IPS is not a one-trick pony game. It's a comprehensive solution."