From detection to prevention
More than 12 months later, it now appears that last year's reports trumpeting the demise of intrusion detection were greatly exaggerated. The reality is that IDS products have significantly advanced over the past couple of years and still offer value as monitoring and auditing tools.
However, there is no denying the appeal of real-time protection offered by intrusion prevention systems (IPS). Momentum for IPS is increasing as security managers are eager for a tool that can do more than simply detect attacks.
Most industry observers have correctly recognized that we are in the middle of a fundamental technology transition, moving from passive detection model to active prevention. What is less obvious to the industry at large is that a number of barriers will need to be overcome if this transition is to succeed.
While security managers are busy researching, evaluating and, in some cases, actually purchasing IPS products for their enterprises, most will not be deploying them inline. This is primarily due to major concerns about this first-generation technology that still needs to be tackled. If left unaddressed, users may buy IPS tools, but not deploy and use them as advertised.
The three primary concerns about IPS that are stymieing users to confidently migrate from detection to inline prevention include:
- Concern about sniping legitimate/benign traffic;
- Concern about self-inflicted denial-of-service (DoS);
- Concern about network quality-of-service (QoS).
Sniping legitimate/benign traffic
This is the dreaded IPS "false positive" scenario. Unlike IDS, where false positives are an annoyance and possibly an impediment, an IPS false positive might result in dropping critical network traffic.
For a financial institution, it may mean unintentionally sniping a million dollar financial transaction. Part of the problem might be traced to the lack of a qualitative assessment on the accuracy of a given detected event. Most IPS products only offer a "zero-sum" game when it comes to detecting and preventing attacks. The decision to block/drop network packet is based solely on whether the packet triggers a security event.
Unfortunately, in some practices, there are many security events that may be suspicious, but are not deemed an attack. For instance, an exceedingly long FTP command may be a clever buffer overflow attempt or it may just be a benign misuse of the FTP protocol.
The concern about self-inflicted DoS takes many forms, including the classic scenario during which an attacker spoofs an attack as coming from a benign source such the corporate email server.
In this scenario, some IPS products will block subsequent traffic coming from the server, resulting in a DoS scenario. Without having to delve into other, more complex self-inflicted DoS scenarios, the message is clear – until IPS products deal with this prevailing concern, some users will be reluctant to deploy these systems inline.
Network quality of service
Finally, network QoS represents a key gating parameter in the transition into an inline prevention model. Simply stated, security managers have to understand how the deployment of IPS impacts network availability, latency and throughput.
Unlike IDS, IPS products sit inline as a "bump in the wire." This means that IPS products must conform to higher levels of reliability and availability than IDS products. Security managers must also determine the impact of IPS to network latency under multiple network load scenarios. Anything measured above the millisecond scale might cause problems, especially in view of applications and protocols that require definitive levels of service such as VoIP.
Moving towards prevention
As a whole, most IPS products today fail to address the three key areas that will help make all the difference between success and failure.
In part, this is due to a misguided fascination with evaluating network security products primarily on the basis of their performance characteristics such as throughput and connections/sec.
In view of this, how does a security manager move their particular organization's strategy from detection to prevention? A coherent approach should incorporate both a thoughtful evaluation of technology combined with best practices for deployment.
So what are the key points for consideration when moving into intrusion prevention?
Don't focus on just speeds and feeds. Do a more comprehensive assessment of technology beyond simply evaluating performance throughput. Look to assess detection and prevention capability, especially how the IPS solution addresses false positives.
Begin on the perimeter. Instead of starting with a full-scale deployment in the core of your network, begin by deploying on the perimeter or as a gateway to remote sites.
Stair-step your way into prevention. Instead of immediately turning your IPS solution loose and walking away, stair-step your way into a full deployment. Initially, deploy in 'passive IDS' mode, then place it in a 'bridging' mode, before finally turning on the full IPS capability.
Ensure there is resistance to self-inflicted DoS. Part of the technical evaluation and testing of the IPS product should include ensuring that the system is resistant to this problem.
In conclusion, there is a growing belief that next year might be the one in which intrusion prevention finally manages to go mainstream and become broadly accepted as a key security tool.
Yet before that comes about, products need to evolve to be able to address those persistent problem areas. And when this happens, intrusion prevention will move from being merely a promising technology to a compelling security solution.
Andre Yee is president and chief executive officer of NFR Security and can be reached by emailing firstname.lastname@example.org