From intrusion detection to intrusion prevention

Intrusion prevention seems the next logical step in enterprise security. Turning the intrusion-detection systems developed for spotting attacks into more useful products that stop intruders cold might even be considered a no-brainer.

One thing is for certain, intrusion prevention is creating more than a little buzz among security watchers these days. Startups are to thank for the excitement.

"We're seeing these little companies coming up with innovative techniques that threaten the older established markets," says John Pescatore, research director for Internet security at Gartner Inc.

In the offing are tools that meld the best of firewall, IDS, antivirus and vulnerability-assessment technologies with the intent of preventing attacks automatically. The emphasis is on the automation, Pescatore says.

"If the intrusion-detection function or the antiviral-detection function says this is an attack, and the vulnerability-assessment function confirms that the network is vulnerable to that attack, the firewall blocks it or shunts the packet off to some safe destination, thwarting the attack," he explains.

Sounds good. But before such a scenario can occur, two big problems need ironing out. Intrusion-prevention vendors have to find a way to eliminate false positives, and they have to figure out how to run the devices inline without creating network bottlenecks. Plus, the technology needs legitimization.

The latter will come once big players such as Cisco, Computer Associates and IBM jump into the market - by grabbing up the start-ups, of course, Pescatore says. This in turn, will get the attention of security vendors such as Check Point Software, Internet Security Systems (ISS) and Trend Micro - which lead the firewall, IDS and antivirus markets today. Such established security vendors will be at risk if they, too, don't eventually move into intrusion prevention, he says.

A thorny problem

But the big players probably won't make a move till the start-ups work out the technology kinks.

False positives are thorns in the sides of so many traditional IDSs because, if improperly configured, they will register attacks as legitimate even if those attacks have no bearing on the network. For example, an IDS on a network of Apache Web servers must be told not to register attacks to Microsoft Internet Information Server, otherwise it will issue an alarm when it sees an IIS attack. Similarly, IDS must be updated with patch information when a flaw is fixed. If it isn't updated, the IDS will set off an alarm if it registers attacks against that flaw, even if the flaw has been patched.

False positives from an IDS are irritating, because they can quickly swamp the network with nearly constant alerts. But they can be downright disastrous from an intrusion-prevention tool.

Say, for example, your intrusion-prevention tool flags legitimate traffic as malicious, a false positive that happens at times when intrusion-detection system are set to look for traffic anomalies.

"Sometimes a valid business transaction may act like an attack," says Van Nguyen, director of global security at American Presidential Lines, an ocean shipping company in Singapore. He speaks from experience. "In the past, our network-based IDS has flagged our back-up software as a legitimate attack. I definitely would not want my IDS sending TCP resets and blocking traffic automatically!"

But the answer doesn't lie in proper configuration alone, users and vendors say. Rather, before an IDS can work in prevention mode, it has to support a variety of detection techniques, including the traditional signature detection, and it must be fully integrated with a vulnerability-assessment tool.

And the start-ups addressing intrusion prevention are doing just that. Their products employ multiple detection techniques, such as signature, stateful inspection and protocol anomaly. Moreover, their products integrate with firewalls, IDS and vulnerability assessment.

In particular, Pescatore points to developments from IntruVert Networks, iPolicy Networks, OneSecure and TippingPoint Technologies.

"These start-ups are charging the hill with pretty good technology approaches," Nguyen says.

These approaches, the vendors say, let them run inline in the network, blocking malicious traffic in real time. This is a marked change from traditional IDS, which run passively, watching the network traffic as it goes by and delivering reports after the fact based on what they see.

"Inline intrusion detection puts the intrusion-detection system inline like a firewall," says Martin Roesch, CTO at intrusion-prevention firm Sourcefire and co-inventor of the Snort open source IDS. "The IDS makes decisions about whether to pass packets or not, much like a firewall but with the smarts of an IDS. This goes beyond basic blocking because you actually can intervene on a session that's been established, and if you see a buffer overflow, you can stop it from completing. You can actively prevent attacks," he says.

Intrusion prevention is similar, but it also encapsulates firewall, antivirus and vulnerability-assessment capabilities.

The problem with inline intrusion prevention is that it tends to become a network bottleneck, in much the same way firewalls can be. All network traffic needs to flow through these devices, and if they don't operate quickly enough, they drop packets.

In fact, speed is a main criterion for intrusion-prevention wares, Pescatore says. "They can't be the bottleneck," he says. "They have to work at wire speed."

Again, the start-ups appear to appreciate that. Most say their products work at gigabit speeds and are steadily improving performance.

Is it enough?

So now we have these new devices meant to limit false positives, use a variety of detection techniques, integrate with vulnerability assessment and antivirus tools, and sit inline and automatically block intrusions at wire speed - at prices comparable to IDS. Does such functionality make intrusion prevention a sure thing?

Not likely, users and analysts say.

"You can do behavioral analysis, anomaly detection and all sorts of different ways of picking up traffic on the network, but chances are, there is always going to be something that gets by you. They're not 100% solutions," Roesch says.

"That's one of the risks of falling for pure prevention as a sufficient technique by itself," says Nguyen, whose primary prevention tool is NFR Security's SilentRunner, a network diagnostics and forensics package that provides graphical views of network traffic, culled from IDS, firewalls and other network devices, and makes recommendations about closing vulnerabilities. "While many of the technologies are effective, you are completely vulnerable to the things they don't stop."

Greg Hinkel, technology lead for computer security at Oak Ridge National Laboratories (ORNL), a Department of Energy national laboratory in Oak Ridge, Tenn., and longtime intrusion detection and prevention user, agrees. "You can't just set the IDS and forget it. You have to tune it to your environment, and then keep revisiting it as things change on your network. You have to constantly be touching these things," he explains, noting that ORNL uses Snort and ISS's RealSecure IDS, and homegrown prevention tools tailored specifically to its network.

As with any technology, the tool is only as good as the person operating it, Hinkel stresses. You can't use technology to solve everything," he says. "You have to take people into account. Educate the users, have a real and knowledgeable person studying the traffic, the logs and so on. Know your network. You can't expect some piece of hardware to fix everything for you."

Join the newsletter!

Error: Please check your email address.

More about ApacheCA TechnologiesCheck Point Software TechnologiesGartnerIBM AustraliaInternet Security SystemsIntruvert NetworksISS GroupLogicalMicrosoftNFR SecurityOneSecureSecurity SystemsTippingPointTrend Micro Australia

Show Comments

Market Place