Threat Management, Threat Intelligence, Network Security, Malware, Network Security, Vulnerability Management

IPS grows up

The evergreen IPS has evolved, but some experts dispute whether new features are enough for today's attacks, reports Fahmida Y. Rashid.

While talking to some customers, Dan Holden, director of ASERT (Arbor Security Engineering and Response Team), a division of Chelmsford, Mass.-based Arbor Networks, noticed a “fundamental” shift in how they were looking at security. 

These organizations, Holden found, weren't planning out projects to deploy anti-virus, firewall or intrusion prevention systems throughout the enterprise. Rather, they had projects addressing specific problems, such as botnets, distributed denial-of-service attacks (DDoS) and advanced persistent threats (APTs).

Customers were asking, “Can you help us solve these problems?,” and were not asking what products they should be buying. The realization was an “ah ha” moment for him. The threat landscape was driving the conversation on how to defend the network, which is a departure from the past, when administrators typically first deployed the security technology and then figured out how to block the attacks, Holden says.

The average network has grown exponentially over the past few years – with many people having more than one internet-connected device and spending more time online for both work and personal use. Having insight into what is entering and leaving the network is critical, and the ability to block malicious traffic from coming in is paramount. But specialized systems and advanced network security technologies have hit the market in recent years, there is no reason for organizations to abandon mainstay solutions, such as intrusion prevention systems, experts say.

“Defense-in-depth doesn't mean buy the best everything in the market,” Holden says.

Traditionally, organizations bought IPS and deployed the technology as the first line of defense outside the network perimeter and the firewall, says Pierluigi Stella, CTO of Network Box, a Houston-based computer security systems provider. All traffic first had to pass through the IPS and then the firewall, before reaching individual systems inside the network. The IPS was designed to be fast and lightweight in order to scan, identify and block malicious packets without slowing down network performance, Stella says. 

And, as the network expands and evolves, basic security measures should remain the same. “I still have a strong door to keep people out [of my house], even though I have an alarm system and a camera,” Stella says.

The fact that IPS is a decade old doesn't mean it's still not useful, says Daniel Ayoub, manager of product marketing at Dell SonicWALL, a Round Rock, Texas-based provider of network security. Firewalls are 25 years old and still considered a critical component of the network infrastructure, he says. And, IPS is just as ubiquitous – with Ayoub estimating that nearly 98 percent of organizations have deployed an IPS in some form or another. 

If the organization doesn't already have an IPS deployed, Network Box's Stella recommends investing in newer technology and security protections. However, for organizations where the technology is already running, he doesn't see any reason to “toss it.” 

Even if the IT department never looks at the logs and alerts within the IPS, simply having technology that blocks “known evil” provides a “reasonable level of protection” against ubiquitous threats, such as propagating worms, says Sadik Al-Abdulla, senior manager of the security practice at CDW, a Vernon Hills, Ill.-based provider of technology products and services. While IPS won't be able to block attacks exploiting zero-day vulnerabilities or thwart a skilled adversary using sophisticated tactics, it should “prevent 99 percent of push-button or automated attacks,” Al-Abdulla says.

That's not to say IPS technology hasn't evolved and matured over the years. While the solution originally relied on signature databases to identify bad packets, most modern systems have added reputation analysis to discern when requests are coming from known malicious sites and to detect anomalies in network traffic.

But, some experts dispute whether these additions are enough for today's attacks. The IPS has an extensive database of thousands of signatures that are “still essential, but not sufficient” for today's threats, says Tyler Carter, head of product marketing at McAfee, a Santa Clara, Calif.-based security software company. While baseline scanning using signatures is important, using reputation scanning to flag “bad neighborhoods” and identify suspicious behaviors is now part of the IPS arsenal, he says.

For example, if a machine on the network, usually used as a web server and email client, suddenly started surfing the web, that change in behavior is a red flag, Carter says. A file that claims to be a PDF file, but doesn't seem to behave like one, would also be flagged.


Customers often rely on default policies despite the fact that the modern IPS can do much more than older systems, Carter says. Most organizations don't have the time to manage these systems. They generally just configure the appliance to use the default policy and stick it on the network, he says. 

If vendors improve the quality of the default protection, then the customer gets a better level of protection out of the box, Carter says.

There's also a convergence happening – with IPS being integrated into other networking products, Holden says. IPS capabilities are now found in routers, switches, firewalls and unified threat management systems, among others.

The integration has “positive implications” for performance and reliability, making deployment simple and more cost-effective, agrees Al-Abdulla.

Stella goes a little further, saying that IPS should no longer be used as a stand-alone technology, and instead should be tightly integrated with the firewall. In that scenario, the IPS side of the system would identify rogue network packets, and the firewall side would drop the connection and block further attempts.

But, integrating the IPS with other networking components doesn't mean putting them inside the same box. In fact, it's better to focus on an integrated system where different components work together, but are separate entities, says Carter. There is a push to consolidate, but when a single appliance has to handle anti-virus, SSL encryption and other tasks alongside basic firewalling, performance is diminished greatly due to resource constraints.

Yet, security technology can't operate in isolation, as the endpoint has to know what's happening in the network, and the network has to know what's happening in the endpoint, Carter says. The challenge is to be available and effective without getting in the way of the network.

Holden of Arbor Networks agrees that even though IPS is an evergreen technology, there are certain areas where it is no longer useful. As attack methods and type of threats hitting the networks evolve, the effectiveness of an IPS has dropped. In the past, most network traffic was protocol-based, which IPS was good at blocking, but now much of the traffic going in and out of the network is content-based, which IPS has difficulty figuring out, Holden says. Attacks using obfuscated JavaScript to hide their activities is a nail in the coffin for IPS, he says. 

In addition, an IPS gives administrators visibility into network traffic, it struggles with web application traffic, as it cannot differentiate between legitimate application traffic and a malformed request designed to attack, says Rob Rachwald, director of security at Redwood Shores, Calif.-based data security company Imperva. Organizations with web applications need to close the gap with web application firewalls (see sidebar below). While the IPS scrutinizes traffic against signatures and anomalies, the WAF determines the behavior and logic of what is requested and received by the application, Rachwald says.  

While the IPS is still considered viable, its sister, the intrusion detection system (IDS), hasn't fared as well. IDS is reactive as it is just detecting what is malicious, but today's administrators want to take active steps to protect the network, such as blocking threats and other suspicious activities. Holden predicts IDS will “fall by the wayside” in the next three to five years.

It doesn't do anything inside the LAN or outside to prevent intrusions into the network, Network Box's Stella says. Its alerts and detection capabilities are useful after a data breach, but by the time it even sees the traffic, the network has already been compromised, Stella says.

In the past, administrators could look at the IDS logs to find breaches, but now there is too much network data being generated for that to be a worthy task, Holden says.

“The assumption is that someone is poring over pages and pages, screens and screens of alerts to make sense of them,” Stella says, adding the customer “derives zero value” from an IDS.

Many Network Box customers continue to deploy standalone IDS, simply because the auditors tell them that they have to, Stella says, adding, “Frankly, neither they nor I understand why.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.