The IPS question

Security customers aren't the only ones debating whether IDSes (intrusion prevention systems) can deliver on their promises of preventative security -- IDS vendors are also trying to figure out how to deal with a technology that threatens the core of their business strategy.

Indeed, the supremacy of IDSes is being tested by security customers' demands for a faster, more efficient, and proactive form of intrusion prevention for their networks. Complicating matters, customers are experiencing difficulty in discerning between true IPSes (intrusion prevention systems) and watered-down versions, as well as considering the complexity of marrying in-line IPS with various network processes.

But there's no mistaking the attractive glow of intrusion prevention that works -- IT still salivates over the idea of preventing attacks before they become enterprisewide disasters, although they are more cautious about putting too much trust in security systems that make large promises. As IPS technology matures, security experts predict that IDS and firewall protection will eventually become one, IPS appliances will multiply, and traffic inspection and switch hardware vendors -- such as Cisco Systems Inc., F5 Networks Inc., and Nortel Networks Corp. -- stand poised to claim the IPS crown.

Prevention gets the nod

Some analysts, including Stamford, Conn.-based Gartner Inc., are advising customers to hold off on making large network IDS investments in favor of investigating the merits of IPS. For organizations already bound to IDS investments and drowning in false-positive returns, they should look to security management vendors such as ArcSight Inc. and NetForensics Inc. to restore control, says John Pescatore, vice president of Gartner.

"We think IDS is dead. It's failed to provide enterprise value," Pescatore says. "In order for it to survive, it has to go faster, at wire speed, and it has to solve the false-alarm problem."

False alarms - a notorious bane of IDS - can be a troublesome burden when the lack of internal security expertise and ever-tightening budgets push security event prioritization to the forefront. IPS cuts down on false positives by being in-line, incorporating stateful signature through session inspection, and multiple algorithm methodologies including protocol and packet identification to uncover sudden or extreme traffic pattern changes (such as in a denial of service attack) or changes against a set policy."Sometimes people will take every single positive and vulnerability and try to address it, and it may not be a necessity, especially these days when you have streamlined staff," says Qualys Inc. customer Pjay Castro, senior network engineer at Sacramento, Calif.-based Tower Records. "We need to concentrate on what could affect us."

The scramble by security vendors to institute successful IPS is buoyed by a number of devastating security breaches and costly virus cleanups during the past year to 18 months -- events that became the last straw for many customers. After being paralyzed by attacks such as Nimda, Klez, and Code Red, Tom Danford, CIO of the University of Dayton, Ohio, says his organization realized that an active defense system was critical to its future.

"We were hit by all those [viruses], and it brought the university to its knees on a couple of occasions," Danford explains. "We had classes that were affected and [a large] expense in paying people to clean up the machines and damage. There's also all that lost time and productivity. We decided that prevention was going to keep our security where we wanted it to be."

With more than 10,000 total students connecting their PCs and laptops into the school network on and off campus, Danford wanted an IPS offering capable of actively looking for suspicious activity on the network, blocking it, and allowing for later inspection inside the firewall. In December, the university deployed IPS vendor TippingPoint Technologies Inc.'s network-based Unity2000 device, which searches for an pushes threat profiles to the appliance, on a trial basis. So far, the results are promising: Despite running multiple Microsoft Corp. SQL servers on campus, the Slammer worm did not impact any of the university's systems.

TippingPoint's UnityOne IPS product features a security processing engine consisting of network packets and capable of processing all header information in packets at very high speeds. To successfully stop computer attacks by dropping packets as soon as a threat is detected, an IPS solution must be part of the network infrastructure with microsecond latency, says Marc Willebeek-LeMair, CTO of Austin, Texas-based TippingPoint.

"Because IPS has two letters in common with IDS, we're always thought of as the next generation of that product line, and we're actually very different," adds Willebeek-LeMair. "[Attacks] are not just perimeter-based but also internal. IPS is effective when you can put it into your network fabric and block attacks coming at it from any direction. It's not just your WAN access point anymore."

Not all peaches and cream

IPS may be making headlines, but some IDS stalwarts such as Atlanta-based Internet Security Systems Inc. (ISS) question the forecasted abandonment of IDS and customers' need to achieve greater network protection speeds.

"Just because you put a lock on your front door doesn't mean you throw out the burglar alarm system," says Chris Klaus, CTO of ISS. "When you look at what people are connecting to the Internet with, it's nowhere near gigabit."

However, there's no denying that IPS is putting pressure on the IDS market to take a good look at its own strategies. Klaus says ISS, for one, is moving from a reactive to a proactive security mantra through its heavy managed services initiative by keying on servers, desktops, OS log analysis, and forensics information.

Having been burned before on complicated security projects and unfulfilled promises of other "silver bullet" security fixes such as PKI, IPS faces an enormous challenge to win over skeptical customers, says Lloyd Hession, chief security officer of New York-based Radianz, a financial services extranet. The complexity associated with deeper inspection and sitting directly in the line of traffic means an IPS solution can't just be dropped in and plugged in, but must become yet another element in a potentially congested network.

"The mantle has been passed to new IPS products, but the problem is the risk of these products, and the downside is they're potentially dangerous because they are more complex and in-line," Hession explains. "Once you introduce into a production environment another single point of failure, a device that is no longer passive, then the reliability of your whole production environment is potentially impacted by that device that is in-line."

According to Hession, IPS has not had nearly the amount of time needed to "work out the kinks" and develop maturity -- but neither has IDS.

"The problem the [security] industry has at the moment is that these are not integrated enterprise solutions," he adds. "These are point solutions which are incremental, and have costs that CIOs [must face]. It's a challenge. We can't keep going down the path with point products."IDS in the hot seat

Further muddying the IPS waters, Pescatore notes an alarming level of "snake oil" IPS solutions, in which IDS-oriented vendors adopt a new IPS identity that does not properly address IDS' problems. For instance, he believes that reducing false alarms is critical but not at the expense of impeding legitimate traffic. This requires a security mixture of algorithms, signatures, stateful protocol analysis, behavior-based methodology, and correlation among other network areas - a mixture found more often in IPS solutions.

"What we think will happen, by the end of next year, [is that] IPS will really have impacted the firewall and IDS market," Pescatore remarks. "That's when Cisco would swoop in, maybe a CheckPoint, but people like Nortel and F5 -- even Nokia -- will be going after this market by some real high-end, multigigabit products sold to carrier-class networks." In turn, he says IDS vendors must embrace the dawn of IPS and morph their offerings into firewall schemes; those who don't accept IPS are living on borrowing time.

Hession also sees firewalls, IDS, and IPS as complimentary components of a security strategy; dropping IDS completely would be a bad idea without a great firewall in place, but the advantages of IPS mean IDS' role in the enterprise will change.

"If [companies] go with IPS, is this a replacement for a firewall? My answer is absolutely not," explains Hession. "Firewalls are tuned and built and designed to do type of filtering and screening and access control, IPS and IDS are not."

F5 already envisions itself becoming the control plane of IPS, allowing customers to block traffic while F5 partners serve as the interface to communicate with F5's BIG-IP product and become the control plane of IPS, says Erik Giesa, senior director of product management at Seattle-based F5.

Meanwhile, Cisco has been much more aggressive about its IPS intentions, bolstered by the purchase of host-based IPS vendor Okena Inc. earlier this year. Other acquisitions also play into a vision of converged network and security services: The hardware maker's purchase of Psionic is designed to reduce false positives and its scalability push is evidenced by its recent Catalyst IDS module announcement.

"Our customers have told us for some time that although they understand intrusion prevention, they don't yet trust the technology to act autonomously and take actions for them to make the right decisions on good and bad traffic," explains John McFarland, manager of security appliances for the VPN and security business unit at San Jose, Calif.-based Cisco.

The benefits of IPS are clear, but its true test will be in living up to its promise in dealing with real-world security threats. IPS' home for now is in stand-alone appliances and solutions, but the reactions of IDS vendors show that IPS' future likely lies in an integrated solution, whether it be an IDS-IPS combination, a firewall, or another piece of infrastructure.

"What you're asking of [IPS] technology is to sit in the network, make decisions, and affect packet flow, which are all functions of a network device," McFarland says. "[IPS] is not a one-trick pony game. It's a comprehensive solution."

Join the newsletter!

Error: Please check your email address.

More about CiscoCrownF5 NetworksGartnerInternet Security SystemsIPSISS GroupMicrosoftNetForensicsNokiaNortel NetworksOkenaQualysSecurity SystemsTippingPointTower Records

Show Comments

Market Place