Keeping out the intruders: Detecting and preventing

What is the future for intrusion detection and intrusion prevention systems? Illena Armstrong examines the conflicting claims.

A recent report from research group Gartner, Inc. caused a ruckus in the intrusion detection/intrusion prevention system market. In the Information Security Hype Cycle, Richard Stiennon, research vice president for Gartner, concluded that IDSs has failed to offer up any value to companies relative to their associated costs, and would fall away by 2005.

Failure or the future

"Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled," sais Stiennon. He said that "functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking," and anti-virus.

The idea that IDSs are doomed to failure does not gain much support from many in the industry. Chris Hovis, vice president of marketing and business development with Lancope, agrees that there have been problems associated with traditional network-based IDSs, such as false positive overload, issues detecting unknown threats, operational challenges in high-speed environments, and difficulties in managing some traditional signature-based solutions. At the same time, however, the research fails to account for the bevy of hybrid solutions on the market that integrate the best features of IDS with newer behavior-based threat detection, policy enforcement and network intelligence.

To suggest that monies would be better used if redirected toward firewalls is strange, too, according to Hovis, given that the statement contradicts some of Gartner's opinions released in December 2002, which noted that "firewalls cannot defend against data attacks, social engineering, malicious insiders and many denial-of-service attacks. Also, the firewall inspects the headers but not the contents of the data packets. For examining the contents, other products would be needed."

Plus, just as the case is with quite a few security solutions on the market today, application-layer firewalls have their own performance challenges to address, not to mention that deploying firewalls throughout the internal network is likely to be viewed by many organizations as impractical, according to Hovis.

Evolving systems

Michael Rasmussen, a security expert with another analyst firm, Forrester Research Inc., contends that IDS solutions are actually getting better. Simply drawing a clear line to separate current IDSs and those of the future, which he qualifies as intrusion prevention and advanced firewalls at the application layer, is a mistake. In reality, intrusion detection technology is simply evolving into intrusion prevention, which is "simultaneously converging with firewalls," he says. This convergence will result in a "next-generation gateway by 2005," but only by evolution.

"Stating that intrusion detection has failed to protect organizations is an overstatement - by that claim, firewalls and every other security technology have done so, too. Ask the victims of Code Red, Nimda, Slammer and many others how effective their firewalls were," he says. "Technology helps protect organizations, but they all require management and layers of defense."

It was just this past January that Merrill Lynch's Global Securities Research and Economics Group released a report sharing its opinions of the software security market. Noting that the intrusion detection/protection market was only in its early stages and therefore offered immature technologies that lacked standards for reporting events, the findings suggest that such solutions have value.

"The threats are real and despite the inability of the technology to stop all types of attacks, the technology works often enough to be useful," states the report, adding that with new entrants stepping into an already crowded playing field, competition is fierce.

Lack of clarity regarding IDS and IPS is still rippling the waters, says Mike Paquette, vice president of product management for Top Layer Networks. Some IDS vendors claim to offer intrusion prevention, while other vendors are putting real IPS and IDS on the table to protect networks and applications.

Layering the defenses

"Customers are telling us that they're worried about cyberthreats, both at the network perimeter, where broad network-attack protection is necessary, and at critical online resources, where enhanced resource-specific protection is required, as well," he explains.

For Bob Wynn, chief security officer for the State of Georgia, who is a recent Lancope customer, layering is the way to protect his infrastructure. As a result, not only does he use Lancope's StealthWatch, but he has also been a ready customer of long-standing ISS and their RealSecure product, Enterasys Networks' Dragon, and Sourcefire's well-known Snort.

"The idea goes back to a defense in depth ... if you can beat what we have then I'm not going to stop you anyway," he says. He believes that IDSs and their functionality are likely to remain and will probably lead to a dominance of hybrid solutions, where traditional signature-based tools will continue to merge with behavioral-type systems.

Kirk Drake, vice president of information technology at the National Institute of Health Federal Credit Union, and another Sourcefire customer, invested in his IDS around March of 2002. As a result, it has only been during the last four to five months that he and his staff have really begun managing it effectively. For him and his team, the act of layering various protective mechanisms is the most practical thing to do. In this way, they can concentrate on honing their skills at IDS, ensuring their firewalls are managed and configured properly, and managing their patches effectively.

"There's the school of thought that if you prevent it, you don't have to worry about the rest of that stuff," he says. "But I don't know any good security guy who would say, 'with this one all-encompassing solution it's going to solve all of [your] problems.' You always want to have layers."

Based on conversations with other CTOs at credit unions, Drake is not alone in holding to the belief that IPS is some time away from being ready for the prime time just yet. Perhaps, in the next four to five years, after getting a better handle on the whole network security process, he and his company will realistically look at adding an IPS component to their other layers of protection, he says.

Explains Marty Roesch, CTO of Sourcefire, because IPS tools are typically put in line of traffic, rather than passively monitoring it like traditional IDSs, issues like latency being introduced into the network, questionable data management, reliability, accuracy in detection and prevention, and more, continue to crop up.

"We went out and spoke with some financial houses in New York City a few months ago and asked them, show of hands, who's going to be deploying IPS in the next 12 months? Nobody raised their hands. The technology is not fully baked yet," he says.

There is no doubting that the already cumbersome vat of opinions in the intrusion protection arena fails to get any easier to understand when all the hype surrounding newer IPSs is added to the mix. Often pitted - rightly or wrongly - against traditional network IDSs, these newer solutions are believed either to be the wave of the future, failures in delivering on their promises, or potential successes only when coupled with intrusion detection capabilities.

IPS versus IDS

Yet, despite all the talk about the prevention space's future, some analysts have been nothing but optimistic about this arena. Indeed, notes Perry Luzwick, director of development for Northrop Grumman Information Technology's Defense Enterprise Solutions business unit, some projections show 190 percent growth per year over the next 3.5 years for the IPS industry.

To Paul Barker, technical architect at U.K.-based Integralis, confusion is plaguing the IDS/IPS market overall mainly because of "the ineffective use of intrusion detection and prevention systems." On the one hand, IDS, while a pretty well-established technology, is notoriously implemented poorly and lacks a proactive stance.

But IPS has its share of problems, too, the top one being brand recognition, he explains further. In jockeying for footing in the market, IPS has foundered in clearly showing what it does for a corporation and how it accomplishes this.

The way companies might want to view these newer systems is simply as an IDS augmented with automated response capabilities, says Steven Hofmeyr, founder and chief scientist for Sana Security. Basically, detection of an incident results in the automated blocking or prevention of the incident, alongside its being reported, he says.

"Consequently, intrusion prevention systems are only as good as the underlying detection methods that they use - if you cannot detect something, you cannot prevent something," he says.

Bafflement among buyers crops up when vendors obscure the facts "with over-hyped talk about prevention, without addressing the fundamentals of how detection is carried out," he adds. "In reality, most intrusion prevention systems will initially be used as intrusion detection systems, having the automated responses turned off. The reason for this is that users are wary of automated prevention blocking legitimate activities."

What about the next generation?

But, in the mind of Marc Willebeek-LeMair, chief technology and strategy officer for TippingPoint Technologies, the idea that intrusion prevention is an evolution of intrusion detection is erroneous. The problems that have always been inherent with IDSs are trying to be solved by IPS vendors, he contends, with the exact objective of the technology being to eliminate the human intervention and the need to monitor and second-guess the device. Indeed, says Willebeek-LeMair, his company is trying to overcome all the industry buzz so customers can understand what "a real intrusion prevention system" is.

Ideally, an IPS needs to address three priorities, he says. First, it should be founded on a stable and reliable platform, such as that which is seen in switches and routers, since it is going inline on the network. Second, it should also perform like a switch. To do this correctly requires specialized hardware.

The third priority is the offering of comprehensive security, with the idea that the solution is a part of the infrastructure, running as an active element that is not monitoring, but rather blocking or allowing packets to go through the network.

Jim Melvin, president and CEO of Mazu Networks, suggests that if one views firewalls as the door locks and IDSs as the alarms, "then next-generation IDS systems need to be like security cameras. That is, they need to capture more context with the events they are observing to clarify the exact behavior that is causing the alarm," he explains. As such, up-and-coming IDSs and IPSs are indistinguishable, he says. So, whether called IPS or next-generation IDS, these solutions will offer a context for security events identified to more "accurately assess the operational relevance of security events and quickly recommend effective countermeasures."

In the end, he says that IDS "and whatever IPS winds up being, could and probably should be component parts of an effective defense-in-depth security strategy." But, to do that right, the layers have to be built around "key business processes rather than only around a company's own network topology."

Survival of the fittest

When it is all said and done, services are beginning to blend to provide deeper protection for the network. That means IDS and IPS are not going anywhere. Intrusion detection has always been about finding all the bad things. But then, with the "marketing concept" of intrusion prevention hitting the scene, the difference between the IDS and IPS became the ability to distinguish attack events from normal events so the bad things can be stopped, says Joel McFarland, manager of product marketing within the VPN and Security Business Unit at Cisco Systems, Inc.

"At the end of the day," he says, "the ultimate solution will do elements of detection, will do elements of prevention and even access control/policy enforcement. ... We're still crossing the chasm on a product maturity basis."

And while the vendors and analysts grapple with how solutions will evolve over time, the security managers who are still pondering what all this means to them and the protection of their networks should skip worrying about the semantics.

Before even deciding what solutions and what layers are best for their organization, Check Point's Mark Kraynak, strategic marketing manager, advises companies to look at how they want to deploy security technology at a high level. And, typically, customers understand what they need - protection from attacks at both the network and application levels, while at the same time providing access to both.

To achieve goals of security and access, organizations should buy reasonably-performing host-based intrusion detection and prevention software for their servers, a high-speed intrusion detection and prevention system for the network, and light-weight host-based IDS for desktops, adds Symantec's John Bonamico, senior director of product delivery for host IDS at Symantec. Tying these things together will require that companies seek out a management system of some type to gain a full view of the events happening on the network.

"For a lack of a better want an intrusion management [system]. You want to be able to look at all the different aspects of your network and be able to pull that data together ... and be able to react on that," he says.

And finally, Northrop Grumman's Luzwick says, "Security is performed so a business can, given all the constraints, maximize revenue and profit. The bottom line? The basics of good computer and network security haven't changed. A layered, heterogeneous approach is still the best means to defend the enterprise and, since no business can survive on its own, the extended enterprise."

Illena Armstrong is US and features editor for SC Magazine.

IDS versus IPS? Detection is the key to prevention

IDS or IPS is the wrong question, says Andre Yee. Pitting IDS against IPS creates a false dichotomy that leads to confusion in the minds of the users. The fact that detection is essential to prevention seems to have eluded certain industry pundits. Many security administrators shy away from deploying inline intrusion prevention in production because they understand that despite the many virtues of inline prevention, current product offerings are not the silver bullet they are purported to be. The notion that IPS is the cure for all that ails the IDS is an oversimplification. It fails to consider the following:

  • Security administrators decry the current crop of IDS for many issues, including the bane of false positives that currently plaque the industry. They also note the overly complex deployment as well as the lack of scalability and manageability of large deployments. Many of these issues have nothing to do with prevention and are in fact a factor of product maturity.
  • Yes, security administrators also have issues with IDS being a passive responder rather than a device that actively prevents attacks. However, they understand equally the risks involved with dropping malicious network traffic, especially when the detection engines can potentially yield false positives. In an IDS implementation, false positives serve as a major annoyance but an IPS may actually cause termination of legitimate traffic.
  • The dirty little secret is that a large percentage of malicious activity cannot be detected with sufficiently high confidence, hence cannot effectively be prevented on the fly. Stealth attacks, insider based attacks, polymorphic attacks and zero-day attacks are typically not preventable.
  • Security monitoring and auditing are regarded as an essential element of a well-formed corporate security strategy. Even if it is possible to effectively prevent a significant percentage of known attacks, it does not negate the value of detecting suspicious and malicious activity. The question of whether there is value to knowing that an insider is seeking to systematically attempting to crack passwords across different servers in your enterprise should not even need to be asked. Yet, this is an example of the kind of attack that is difficult to prevent but necessary to detect and audit.

Andre Yee is CTO of NFR Security (


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.