Now that the global investment management firm has deployed TippingPoint's intrusion prevention system (IPS), vulnerabilities automatically are patched.

It was not always that easy for T. Rowe, which manages about $270 billion in assets for investors around the world, says Davis, network security manager of the Baltimore-based company. In the past, his team — representing about one-tenth of one percent of the company's 5,000 employees — had to hustle any time a new system flaw was publicly disclosed.

"We, as a security department, would have to gather together, see where the vulnerabilities were, figure out steps to mitigate those vulnerabilities, and go out and make changes," he says. "And we'd have to pull a team together and try to move mountains every time Microsoft released a new patch."

In addition, around 2004, web application-based attacks began popping up with more frequency, and traditional firewalls no longer seemed adequate to provide the necessary protection.

Company IT officials began debating whether they should purchase an IPS or an intrusion detection system (IDS), but ultimately opted for the former. T. Rowe purchased TippingPoint's IPS solution in late 2004 and has since deployed it at several of its foreign locations, including London, Hong Kong and most recently Sydney, Australia, Davis says.

"If we were going to make an investment in this much equipment, we decided to go with an IPS," Davis says. "It's more leading edge. Why be alerted when you can stop it from happening?"

Andy Salo, director of product management for TippingPoint, says companies such as T. Rowe are ideal IPS owners.

"They are resource challenged," he said. "They don't have SWAT teams of security people that can be constantly monitoring the types of attacks going on. This technology lends itself so well to T. Rowe. They are the targets that this type of device protects against."

Compliance was a big driver for the company to purchase the device (Sarbanes-Oxley lists deploying IPSs as a best practice). Also factoring into the equation was the very nature of T. Rowe's business.

"Most of our stuff is people's financial data," Davis says. "Financial companies, as a whole, provide the target because of the wealth they have and the large customer bases. Being a financial firm and being responsible for managing people's money, we were looking for [the IPS] to protect critical access, our critical infrastructure, and all our partner connections."

Salo says the IPS helps companies avoid the embarrassing disclosure of a breach.

"They, really, at the end of the day, are trying to protect their reputations," Salo says. "You see it all over, identity theft. ‘Hey, your information is compromised.' Those companies have severe public relations problems that they have to overcome."

TippingPoint launched one of the first IPS systems in January 2002. Key to the solution is its "digital vaccine," which seeks to detect and block vulnerabilities and malware attacks at full network speed in real time, Salo says. The box sits inside the network, analyzing all traffic going past it, scrutinizing each packet, he adds.

When deciding on which IPS solution to settle on, T. Rowe's IT group performed a bake-off in its lab, Davis says. The team also was considering versions from Internet Security Systems and Juniper Networks, but after weighing ease of deployment and use, cost of ownership, and how well it blocked malicious traffic, T. Rowe decided on TippingPoint.

"We brought it in and dropped in the network," Davis recalls. "We turned it on, and it was pretty much working from day one."

He says one of the most significant, yet unexpected, benefits of the solution was its ability to block spyware and phishing attacks. TippingPoint recently built filters into its IPS to prevent the spread of the malicious software. For IT security professionals, they are welcome features.

Davis says he and his team have had little trouble deploying the system. However, the group has experienced some network interface errors and hardware problems, including faulty hard drives and power supplies. The device also has generated several "false positives" — but those types of occurrences are dropping fast.

Salo says TippingPoint designers correct problems as soon as they become aware of them by first conducting a "root cause analysis." Overall, Davis could not be happier.

"It's definitely done its job," he says. "It's saved my butt a couple of times."

We welcome your comments. Email us at scfeedbackUS@haymarketmedia.com.

 

THE GREAT DEBATE:
IPS vs. IDS

In 2003, analyst firm Gartner declared the intrusion detection system (IDS) dead, saying it would be obsolete by 2005.

And while there has been a surge toward deployment of its seemingly advanced successor, the intrusion prevention system (IPS) — T. Rowe Price's deployment of one serves as a prime example — the IDS still is hanging around.

As SC Magazine reported in July, many enterprise security managers have opted to run both solutions as a complementary approach toward network security. The theory is that the IDS can ensure that legitimate traffic is not being blocked — a concern among some who solely run the IPS — because the only job of the IDS is to identify and report information about potential attacks.

Meanwhile, the IPS sits inline, working quickly to block malicious or inappropriate traffic in real time. But because of its inherent haste, a poorly configured IPS may errantly bar legitimate traffic or let rogue packets through. As a result, some organizations run an IPS in the basic IDS mode. Or they continue running the IDS to ensure nothing falls through the cracks.

But IT professionals who deploy the IDS and/or the IPS should take note of an emerging player, network access control (NAC) devices. Experts say NAC solutions do one thing those boxes do not — they can determine who owns and authenticates the malicious traffic. — Dan Kaplan