Cybersecurity may not be on everyone's mind at every waking moment, but that doesn't stop the evolution of defensive measures. Intrusion prevention technologies are the latest outgrowth of attempts to thwart those bent on subverting -- or at least disabling -- enterprise networks. InfoWorld's Test Center Technical Director Tom Yager and Senior Analyst P.J. Connolly square off over the value of intrusion prevention systems.
TY: At a time when a desktop PC can outsmart a human chess master, it seems ludicrous that network security remains a largely manual endeavor. Systems, software, and appliances are getting smarter by the day at spotting patterns of access that point to the risk of intrusion. Yet IT seems reluctant to take the next step and grant intelligent assets the right to protect themselves. Instead, the intrusion prevention system in place at most companies is flesh and blood, not silicon. It no longer makes economic sense to pay someone to sift through access logs and shag pager alerts.
Outsourcing isn't the answer here. Automation is. I realize, P.J., that you're part of the cadre of warlocks that has an interest in keeping security mysterious. But your secret is out: Much of what consultants, in-house security teams, and outsourcing firms do can -- and should -- be automated. Having your router page you at 3 a.m. to ask, "Someone's pointing a gun at my head -- is that bad?" might feel like job security. In reality, it's no kind of security. I'm not saying that companies don't need security brains, I just think they're too often wasted fighting fires that could put themselves out.
PJ: Tom, I think all the extra travel you've been doing lately has softened your brain. The way networks are built and applications are designed means that it's impossible to prevent intruders from entering. Well, there is one way -- unplug your WAN link. I know that sounds like a joke, but I'm dead serious. In the event of a network penetration, the single most effective countermeasure is to apply wire cutters to all data cables entering the facility. Unfortunately, that's a hard pill to swallow.
But there's not much else that one can do to "prevent" a networked intruder. Data networks aren't like physical structures that can be defended with a big dog, razor wire, and a shotgun. Even the most restrictive firewall policy is going to let some kinds of traffic through, and intruders simply have to disguise their packets as valid ones. After all, it's not as though businesses can block ports 80 and 443 -- those reserved for HTTP and HTTPS -- for any length of time, no matter what the threat may be.
TY: We agree on that point: Every asset on the Internet will get hacked or at least sniffed. But that fact leads too many IT people to make the illogical leap that they should focus their efforts on post-mortem dissection. In other words, identify the door through which the network has been already breached and close it.
The fear is that an automated intrusion prevention system will inconvenience users. Humans are in the loop precisely because a company can't afford to take its entire Web, e-mail, or file/print operation offline in response to a suspected attack. But it isn't an all-or-nothing deal. An automated security system needn't shut down all traffic on a given port every time it senses trouble. It can selectively cut off only vulnerable services such as Web-based administration and remote database access.
And in extreme cases, why not let the system pull the plug on everything? I'm sure students and faculty at the University of Texas would rather have suffered a few hours without online class registration than have their identities swiped. We accept the inconvenience caused by false positives in automated anti-virus and spam-blocking solutions. What makes this any different?
PJ: All I've seen so far are some point solutions, slide decks, and white papers. Device-managed intrusion prevention -- some refer to it as "active intrusion detection" -- is disruptive and can cause more trouble than it prevents. For example, if I'm running an attack against company XYZ, I'm going to pass myself off as something else, say a government body or university. Now I have two choices: impersonate that entity's network or, more effectively, compromise a host or three at Whatsamatta U. and use that as a launch pad for my assault. Either way, Company XYZ's active defense can only see an attack coming from What-U and block all traffic from that source, legit or not.
The problem here is that the vendors pushing intrusion prevention are missing the human element. As an admin, I want to know what's going on in my network, but I insist on having the final say about what comes through the firewall and what travels on my wires. That's a responsibility that I can't delegate to a box.
TY: But you should trust it to a box, P.J., and then hold that box's maker responsible for keeping up with threats. You can't make a full-time job of doing manual threat pattern recognition and dynamic response adaptation. Aren't those ideal jobs for ultrafast modern computers and the custom chips that peek inside network packets at full wire speed? Products from big players such as Cisco and IBM and small, innovative players such as FortiNet can do far more on their own than IT typically asks of them.
It's time to set security workers' turf preservation and overblown worries about user inconvenience aside. Intrusion prevention solutions won't get smarter until IT starts trusting them. There is no realistic alternative.
PJ: I'm not looking for miracles, but like our readers, I'm also not inclined to spend a lot of time on products that don't offer me some tangible return, or with fundamental architecture that leaves unaddressed large categories of vulnerabilities. The problem with relying on behavior analysis -- the popular alternative to signature-based defenses -- is that if an attack doesn't cause unusual behavior, it passes. That doesn't mean that any effort to apply behavioral analysis is invalid, just that it must be applied as part of a comprehensive approach to security.
Any successful defense will include signature-based methods and behavioral analysis as well as more traditional methods including restrictive firewall configuration and properly crafted access controls. But more importantly, an appropriate defense will incorporate an understanding of the network and the applications that run over it. After all, it's impossible to identify what's malicious if you can't tell what's benign.
At the same time, application designers have to start coding with an eye to traversing multiple defense layers securely. Assuming that everyone is on the same segment is so 20th-century. Ultimately, it's best to remember that security is not a product, but rather a process.