But even then, they do so only after the IPS has proven itself worthy of their trust.
"We see a lot of enterprises using it in basic IDS mode, and if they're blocking anything, it's just known malicious attacks," says Robert Ayoub, the principal IDS/IPS analyst in Frost & Sullivan's security practice.
He explains further that enterprise security managers are worried that the IPS will inadvertently block authorized network traffic, an all too real possibility.
"A lot of it has to do with the nature of false positives from IDS systems, and there's fear that if they turn on actual blocking it's liable to block legitimate packets," Ayoub says.
As a result, most large organizations take a phased approach to deploying IPS. They deploy the IPS to watch traffic — using the device's out-of-band IDS capabilities — and get a "baseline" of their network activity. This allows them to build up trust in the IPS's capabilities before moving the device inline to block traffic, according to vendors and analysts.
Even when they do first start blocking traffic, they block only a certain percentage of it while continuing to analyze traffic in and out of their network, says John Vecchi, group product marketing manager for McAfee's network security solutions. Many enterprises, for instance, don't hesitate to block peer-to-peer traffic very early on, adds Frank Hayes, senior vice president of marketing for Portsmouth, N.H.-based IPS vendor NitroSecurity.
They also move quickly to use rules-based policy blocking of most known malware (for example, viruses and spyware) and many multimedia applications. Many of them also want to get a handle on instant messaging, not necessarily to block it entirely, but to track its use with the idea of possibly limiting the bandwidth available to it, says Sanjay Beri, director of product management for Sunnyvale, Calif.-based Juniper Networks.
See it to believe it
The city of Burbank, Calif. took a wait-and-see attitude to deploying a trio of IPS systems from Juniper Networks, according to Perry Jarvis, the city's network operations manager.
"I ran [Juniper's IDP-100 IPS] as a ‘sniffer' for probably a month, off a mirrored port," explains Jarvis.
This was prior to turning on packet-filtering, which allowed him to develop a "baseline of traffic to figure out what our network was doing," he adds. "Once I got an understanding of the data we get on a daily basis, I then created a set of rules and put the device inline."
Even then, maintaining an IPS is anything but "an exact science" after it's up and running, says Jarvis. The city of Burbank has 14 city departments, and each operates as a separate business, with different applications and networking use characteristics, he says.
That can pose problems when he tweaks the IPS. "There's some weird stuff out there," Jarvis says.
For instance, he made a configuration change that left the city's parks department unable to access a web-based application it uses to track its tree population.
"They run a client application that connects to a web portal, and I have no clue how it works — the application does something a normal website doesn't do, such as database calls," he explains.
He was able to fix the problem by "making a rule change, backing off and figuring out what tripped it. At the end of the day, I allow them to do their job and keep everyone safe," Jarvis says.
Strategies and tactics
Enterprises take the phased approach, even going so far as to use IDS and IPS capabilities in tandem, because "they've realized there's no magic box that will solve their security problems," says Nick Selby, an enterprise security analyst with San Francisco-based The 451 Group. Most IPS vendors now sell their boxes with both inline filtering and offline monitoring capabilities, or even a combination of the two. "The two can't exist in a vacuum," Selby adds.
As is often the case, the strategies and tactics that enterprises use for deploying their IPS and IDS depend on the nature of their business and what they're trying to protect. Take the case of Ottawa, Canada-based Workstream Inc., which delivers human resources-related software services, such as recruitment and compensation planning via the internet.
Michael Gioja, Workstream's chief information officer and executive vice president of products and support services, has taken what he calls a "horizontal and vertical" approach to deploying Third Brigade's IPS solution. He's using the Third Brigade technology to protect a variety of hosts within his company's production and corporate systems, which provide online access to Workstream's human resources applications to customers, such as Chevron, Home Depot, VISA and Wells Fargo.
The company has grown via acquisitions, leaving Gioja with a variety of dissimilar systems to manage and protect. These include SQL Server and Oracle databases running on Sun Solaris, Linux and Microsoft .NET platforms. He's integrating them at the web services level. Developing the ability to manage and secure this environment was one of the keys in deploying an IPS solution. Specifically, he was looking for ways to protect against vulnerabilities from the network level to application level.
"I wanted a mechanism to protect against holes in Microsoft's .NET, as well as the ability to protect against SQL injections into my databases," Gioja explains.
He says he began deploying Third Brigade's host software agents "horizontally, to protect general operating systems and web-based software and services." At the same time, he has also taken a vertical approach to deploying the IPS system by placing agents on servers that host some of the company's applications — initially those that allow customers to manage recruitment. Eventually, Workstream will protect all of its web-accessible applications with the Third Brigade system.
"When we're done, we'll have probably 250 agents installed," Gioja says.
His strategy of providing separate coverage for the two types of systems is vital, he says.
"Operating system vulnerabilities have nothing to do with application-specific vulnerabilities," he adds.
Currently, the IPS system performs packet filtering. Before implementing any filters to block application access, Gioja says he ran the Third Brigade system through "a fair amount of regression training, ensuring that I'm secure, but not to the point where something doesn't run."
In addition to security-related packet-analysis and blocking, numerous enterprises, especially those in the financial services and healthcare industries, rely on the capabilities of IPS and IDS to meet compliance regulations. Meeting regulatory demands "is one of the major reasons many companies adopt a stop-all-threats model," says Juniper's Beri.
Such tools allow heavily regulated organizations to determine which applications and network resources, such as servers, malicious traffic is accessing. This is a key requirement to companies that must meet Sarbanes-Oxley or the Health Insurance Portability and Accountability Act regulations — a "huge driver" in the deployment of the devices, says Beri. n
Jim Carr is an Aptos, Calif.-based freelance business and technology writer who has covered the networking industry for more than 15 years. He can be reached at [email protected].
KNOWING THE PATTERN:
Evolving IPS model
Although this is changing quickly, intrusion prevention systems (IPS) have traditionally relied on signatures to identify, then stop attacking traffic from entering a network. Much like an anti-virus or intrusion detection system (IDS), an IPS looks for known patterns, such as trojans, spyware and other types of malware. Increasingly, however, they are integrating more "intelligence" about the devices on a LAN, and can model what might be called "normal" traffic on a protected host or network to identify a traffic anomaly, and thus stop the attack.
"Look at Lucid Security and several other IPSs," explains Nick Selby, an enterprise security analyst with The 451 Group. "Lucid scans all assets on a LAN by polling IP addresses and fingerprinting them to operating system and build levels. It keeps a database of all the assets, and does deep packet filtering and integrated anti-virus at the network edge."
This allows it to correlate and stop attacks only when they are aimed at an appropriate target. For instance, it will realize that an attack targeted to Linux servers will not damage a Windows desktop PC, so it lets the traffic pass into the network, not wasting CPU cycles on it, says Selby.
Sourcefire and ISS provide similar capabilities.
"ISS now has a fairly powerful endpoint agent, and can correlate information from a variety of sources to make more intelligent decisions about blocking traffic," says Selby.
He says this is all part of a major push by IPS vendors to increase endpoint security. They often work in conjunction with a higher level security event management (SEM) system, such as Cisco's Network Admission Control (NAC), which allows quarantining or kicking non-compliant systems off the network entirely.
With "a lot more intelligence coming from within the LAN about endpoint vulnerabilities, IPSs are more than just a group of signatures," Selby says.
KNOWING THE PATTERN
Evolving IPS model