The case for intrusion prevention

There have been many cases reported in both trade and national press recently about the increasing threat of cyber attacks, and the methodology employed to exploit vulnerabilities in security implementations. Despite this increased emphasis on the reality of the threat, many organisations are ignoring the advances in security products and technologies that can significantly increase their resistance to these attacks.

Like insurance, full appreciation of the level of protection often only becomes apparent following a catastrophic event. Third party and comprehensive motor insurance policies can appear to be identical products until such time as an accident occurs. At that instant, the full magnitude of the difference between the two becomes only too apparent. Likewise with security, full comprehension of the genuine weaknesses in a security implementation may only become obvious following an attack.

Firewalls and intrusion detection systems (IDS's) have traditionally been used, together with access control lists (ACL's) on Routers, to create a security environment that reduces the risk and vulnerability to attack. However, while each component has positive advantages in its contribution to the overall security umbrella, each also has distinct weaknesses which dedicated intrusion prevention systems (IPS's) have been specifically designed to address.

Firewalls provide a good basic level of security, and the enhancements and improvements in recent years have taken functionality and performance well beyond that of early devices. However, simply loading more and more features onto a base product that was originally designed to perform relatively simple tasks is an inefficient and ineffective way to solve the problem. A Mini with a body kit, tuned engine and up-rated performance, is still a Mini, and while it may well perform well against a comparable vehicle it will still be no match for a Ferrari, a car specifically designed for a purpose.

Many organisations now deploy multi-tiered firewall architecture to increase their resistance to attack. But the inherent weaknesses in the fundamental technology cannot be overcome simply by adding multiple layers. Using a combination of different technologies, each with its own specific contribution to the overall effectiveness of the security architecture, is increasingly becoming the solution of choice for experienced security professionals.

Network Intrusion Detection System (nIDS) technology is still a useful component in any good network security architecture, whether this functionality is provided by dedicated devices or derived from output data of other products. They have helped organisations fight intrusions, but as attacks have increased, the limitations of the passive approach has become only too apparent. Identifying security breaches without the active components necessary to stop them from entering the network does little to improve overall security.

High profile worm attacks such as Code Red, Nimda etc. can have a damaging effect on any network that is infected, but it is unlikely that network will suffer a catastrophic failure. Network performance may well deteriorate, and there can be a significant increase in the costs associated with the time and expense to repair and rebuild infected systems.

In recent months, however, the nature of attack profile has changed from random, high volume attacks with little direct focus, to specific targeted attacks on organisations and individuals. These attacks show knowledge and understanding of existing technology and security practices, and specifically target known weaknesses. Simple brute-force attacks

Performance, resilience and accuracy are the key elements if effective intrusion prevention. Genuinely enhancing security levels as opposed to merely covering deficiencies in either design or product selection requires a different approach to the problem. One of the biggest limitations of existing security products is performance.

Security is a journey and not a destination, and as such continual investment in new and innovative products and technologies has become a necessity and not a luxury. Analysing the business risks of security breaches, and making appropriate investments to protect the critical assets on which a business operates, is a critical part of any security plan.

While nobody can guarantee 100 per cent security, investing in the latest products and technologies will improve the overall security of the network and provide greater protection of critical on-line assets.

If you do drive a Ferrari, having comprehensive insurance may not stop the accident from happening, but when it does occur the security of knowing that you have the best protection available makes the experience significantly more tolerable.

By Paul Lawrence, general manager, EMEA and Asia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.