Net security may rest with intrusion prevention

Jan. 25, 2003, isn't a day that will live in infamy for most of the world, but it should be a day that sticks in the minds of network architects who design and manage enterprise-class networks.

That's the day the MS-SQL Slammer virus struck hard at 5:30 GMT, pushing latency across the Internet to 20 percent - more than 20 times its normal level. Slammer blasted through an estimated half-million vulnerable servers by week's end, according to one Network World news account, wreaking havoc inside corporate intranets, disrupting e-commerce and even causing a global Internet slowdown.

Now more than two months after the debacle, network architects are faced with what to do about malicious attacks such as the one SQL Slammer created. Intrusion-detection systems that acted like the front line of defense might have yielded some initial warning of the attacks, but companies were forced to rely upon manual efforts with access control lists to control the spread and the effect of the attack.

Maybe now architects will give a long, hard look at intrusion-prevention systems (IPS). These rapidly maturing products act to identify attack signatures and block traffic before it invades the enterprise.

While there have been some attempts to measure the performance of IPS products, none have painted an especially accurate picture of overall performance. From The Tolly Group's perspective, any benchmark of IPS products has to consider three primary factors: network performance, security accuracy and security efficiency.

Network performance cannot be conveyed by a single reading but instead is a composite of several measurements. IPS performance needs to take into account the aggregate throughput that can pass through the devices in concert with the amount of latency the IPS introduces to that content just passing through. We also like to examine the session set-up rate of IPS systems to ensure they can nail up and tear down sessions at rates similar to LAN switches.

In the end, users want a device that can demonstrate that it handles data in real time, delivering the type of performance commonly associated with a Layer2/Layer 3 switch.

Aside from network performance, there's security performance. Here, Tolly Group engineers typically measure and examine the number of malicious attacks that the IPS can filter. Obviously, the more attacks the device can screen, the better, but we also have to be aware of the security effectiveness. That is, any IPS tested cannot create false-negative readings or false positives that permit attacks to pass or block legitimate traffic from entering a corporation.

The Tolly Group will investigate the topic of IPS performance soon; we are organizing a multivendor study on the topic. We plan to blend our testing-based performance results into our studies, and we will highlight IPS performance results in a future column.

There's a role for Network World readers, too. We're interested in learning from you what key factors should be included in any test methodology that is used to benchmark IPS products.

Remember, by banding together and putting our collective knowledge to common use, we can establish an effective testing methodology on IPS products that will give users the data they need to make intelligent deployment decisions.

Drop me an e-mail and let me know your thoughts on an IPS test methodology.

Tolly is president of The Tolly Group, a strategic consulting and independent testing company in Manasquan, N.J. He can be reached at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about IPSTolly Group

Show Comments