It’s just another line of defense

The Judge Group set out to bolster its network security after it made an unnerving discovery: intruders had broken into one of its FTP servers and loaded music and other files onto it.

Technicians stopped the covert activity, which had gone on for several days, and searched for something that would act as an additional buffer to the firewall.

The Pennsylvania-based company, which provides permanent placement, contract staffing and training services, considered buying an intrusion detection system (IDS) but shied away from it. The technology was flawed and required a lot of manual tuning, recalls Jim Baxter, network engineer at The Judge Group.

"It was a potential nightmare," he says.

Instead, the firm opted to deploy an intrusion prevention system (IPS) from Lucid Security, which Baxter describes as an easy-to-use, "fire-and-forget" device. The appliance protects the company from vulnerabilities that could affect its network, giving Baxter and his team time to test software patches thoroughly before deploying them. "As new threats come out, Lucid updates the system and we don't have to rush to deploy a new security patch right away," he explains.

"We can do our testing and make sure it doesn't cause any problems with our applications. So we're not trying to shove security updates down the throats of developers who want to make sure the application stays running."

With enterprises such as Baxter's adopting it as a key part of their security infrastructure, IPS appears to be gaining acceptance, despite being a fairly young technology. Sales of IPSs have outpaced those of its much-maligned predecessor, IDS, according to Greg Young, an analyst at Gartner: "Certainly, we are seeing very few new purchases of IDS and a very significant number of IPS launches."

However, Mark Mellis, a consultant at SystemExperts, says that none of his clients have deployed IPS or expressed an interest in it. He wonders whether the hype surrounding IDS, and the associated problems with that technology, might have hurt the entire market segment.

"They were sold as miracle cures and they're really more like aspirin," says Mellis, adding that he is pretty skeptical about IPS vendors' claims.

Yet Young says that IPS is a "significant departure" from IDS by combining the detection and prevention functions. "The plague of false positives has not materialized – that was an issue several years back [with IDS]," he adds. While network-based IPS has caught on, host-based IPS (HIPS) has found a home on servers, but not so far on desktops.

There are two general classes of network-based IPSs, says Young – enterprise versions that are usually purpose-built hardware, and software-based models geared for small businesses and remote offices. In either case, a strong IPS must combine several methods of detection, including signature analysis and protocol anomaly analysis, and should focus on vulnerabilities rather than actual exploits.

Performance is a key issue for IPSs, says Charlotte Dunlap, an analyst at market-research firm CurrentAnalysis: "These devices sit inline and must run in realtime to keep up with traffic. Throughput can range from 100Mbps to 2Gbps, and we expect that number to climb."

Since IPSs inspect traffic more deeply than a typical firewall, they are very processor-intensive and need a purpose-built architecture to avoid causing bottlenecks, explains Vimal Solanki, director of IPS product marketing at McAfee.

"As performance and function demands have gone up, the clear trend is towards specialized hardware," says Marc Willebeek-LeMair, CTO of Tipping Point.

Having an IPS that could handle an enormous amount of traffic was essential for The Planet, a Dallas-based provider of internet and hosting services, says John Bradberry, the firm's vice-president of information security.

"The aggregate load across our data centers is five to six million packets per second, and it's rising every day," he says, adding that an IDS the company previously deployed could not scale to keep up with its rapid growth.

The Planet installed 16 IPS appliances from Tipping Point in its three data centers, each providing 2Gbps of throughput. The firm has recorded rates as high as 900,000 packets per second on a single system, says Bradberry. And false positives are nearly non-existent.

The IPS is a "critical component" of his firm's defense-in-depth strategy that helps it to fend off threats proactively, such as the recent family of exploits targeting a flaw in PHP bulletin board software.

The proactive nature of IPS is a huge improvement over the reactive IDS process, says Chris Aidan, information security manager at Pearson Education, a global media firm. His firm had deployed an IDS from Internet Security Systems (ISS) that worked well enough, but sometimes produced false alarms, consuming a lot of manpower. When ISS moved over to IPS, Pearson jumped on it. "I'm getting more sleep at night," says Aidan. "With IDS, it was such a reactive process. This [IPS] is a lot more proactive."

Not only is the IPS appliance blocking malicious traffic, it is helping Pearson to preserve bandwidth. It recently ran a report that found the IPS blocked around three million types of unwanted traffic in one month, including spam and spyware.

"During that same period, we saw about an eight percent drop in our overall internet bandwidth utilization, which is phenomenal," says Aidan.

But IPS still needs watching. When the firm updates the blocking rules for the device, it occasionally winds up blocking legitimate traffic and must be fine-tuned.

"As with any good change-control system, you'll be publishing that to the user community. If they see anything, they will alert us, and we'll get the rule to an acceptable level or turn it off until we can figure out whether it's a false positive or something we want to change in the application," says Aidan.

Indeed, security professionals point out that while IPS technology aims to automatically block attacks, it still requires a degree of hands-on management.

"With some of these behavior-based systems, you still need to employ people and process," says Eben Berry, manager of information systems and security operations at Network Health, a Massachusetts Medicaid health plan.

The organization installed a host-based IPS from Sana Security to help protect critical servers. The software is "trained" to understand the normal behavior for a server and blocks anything else. But software patches or other changes might require some retraining for the IPS to stop it blocking legitimate activity.

Firms have to understand the learning process for the software, while covering themselves during that period with other security tools, says Berry.

An IPS deployment can be complex, says Jeff Simpler, co-founder of Simpler-Webb, a Texas-based IT services firm. "Like most other solutions we've seen, it's the ongoing tuning of the sensor and its software configuration that makes it more effective," he says.

In the end, IPS can provide a level of security that IDS could not. But it still needs careful handling.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.