There are two approaches to fighting viruses: prevention or cure. With networks, you can use an intrusion-detection system (IDS) to tell you when there is a problem or an intrusion-prevention system (IPS) to block it in the first place. The Weather Channel Interactive Inc. in Atlanta, for example, picked up suspicious activity via an IDS. For several days in a row, it detected a high amount of traffic coming in for a specific server port from 1 a.m. to 3 a.m. "My concern was that if it was a probing attack and they were doing it off shift, I had to watch out for when they did a real attack during prime shift," says Dan Agronow, vice president of technology.
This kind of after-the-fact probing is like using a thermometer to confirm that you are indeed running a fever -- much too late to prevent infection. The Weather Channel wanted to be able to react quicker and keep up with the latest attack patterns happening on the Internet. It installed UnityOne 1200 intrusion-protection appliances from TippingPoint Technologies Inc. in Austin. "Now when we get attacked, we have the forensic information we need and the ability to block it," says Agronow.
Block and tackle
Intrusion protection is one aspect of a complete defense-in-depth strategy. It supplements but doesn't replace other layers already in place.
"Don't think that these products are something that will eliminate the need for spam filters, personal firewalls or whatever else you are using," says Brian Philips, director of security at Network Systems Technology Inc. in Naperville, Ill., which provides managed networking, storage and security services. "IPS is part of a defense-in-depth strategy, not a replacement for what you already have."
IPSs address some of the shortcomings that became apparent as companies deployed IDSs. While the latter tell you there may be an attack, the former seek to block it. In that sense, an IPS is similar to a firewall, but it takes the opposite approach.
"Firewalls and network IPS, though they appear to be very close to each other, are complementary but very distinct products," says Greg Young, an analyst at Gartner Inc. "Firewalls block everything except what you explicitly allow through; an IPS lets everything through except what it is told to block."
The biggest concern with setting up an IPS is the problem of false positives: mislabeling legitimate traffic as malicious. Unlike an IDS, which sits off to the side and alerts only when it detects a potential problem, an IPS sits in-line and actively blocks traffic. Although vendors have gotten better with their identification algorithms, they are far from perfect.
"False positives are still a huge problem, so much so that it severely affects the value proposition of an IDS or IPS," says Paul Stamp, an analyst at Forrester Research Inc. "Users are still really fearful that their IPS will end up effectively performing a denial-of-service attack on their infrastructure."
To get around this, most devices are designed for a three-phase deployment. Philips describes the steps he took to set up a Sensitivist 500 IPS from NFR Security Inc. in Rockville, Md., for the Multiple Listing Service that Florida real estate agents use to share property information. It took 10 minutes to install the equipment and load some IP addresses for reporting. The box then operated in bypass mode, which means it didn't block anything.
"We started by having it stop nothing, tag everything and then start turning stuff on," he says.
Tuning took place over the next eight hours. During the second phase, the IPS still didn't block anything, but it generated reports of what it would have blocked. Philips then reviewed this data and decided whether he wanted the IPS to block that type of traffic. The third step was to activate the IPS, using the rules Philips had established. He then scheduled two other follow-up sessions to further tune the blocking.
Young suggests, however, that one way to avoid false positives is to avoid tightening down rules too much. Although this means that some malicious traffic will get through, this approach still has value. "There is incredible value to be gained just from blocking the clearly bad stuff," he says. "Then they can learn more about the gray areas and decide what else they want to stop."
A step beyond
Improved security isn't the only benefit from installing an IPS. Matt Merritt, vice president of operations at Beal Service Corp. in Plano, Texas, which provides administrative support to other units of Beal Financial Corp., installed TippingPoint UnityOne 2400 units as part of complying with regulatory requirements governing protection of customer information. But he also found that it cut down the load on the rest of the network. "The overall performance on our network has generally improved, due in part to TippingPoint's traffic normalization feature, which filters out bad or malformed packets," he says.
The University of Georgia's chief information security officer, Stan Gatewood, reports that putting in an IPS allowed him to see what was on the network and gain better control. "When we took a look at the network, we were shocked at the protocols that were running around out there," he says. "We can now narrow it down to the standards and protocols we will support and block the rest."
However, although these added benefits have value, the primary advantage is still the ability to block threats at the gateway, so the other layers don't need to deal with them.
"There's no reason to let Blaster into the network," says Gartner's Young.
State of the market
Broadly speaking, there are two types of IPS: network-based and host-based. A network IPS is a device that performs a deep inspection of packets as they come through, even reassembling them to examine the entire communication before passing them along.
There are three types of vendors in this area:
1. Pure-play IPS vendors, such as TippingPoint.
2. IDS companies, such as Internet Security Systems Inc., which are expanding their functionality to include blocking.
3. Firewall makers, such as Check Point Software Technologies and NetScreen Technologies, which are adding deep packet-inspection functions to create "next-generation" firewalls.
In addition, IPS functions are being added to other network devices. For example, Juniper Networks Inc. acquired NetScreen last year, and 3Com Corp. purchased TippingPoint, so you can expect to see the added security technologies incorporated into the parent firms' networking gear to block suspect traffic.
A host-based IPS, on the other hand, is software rather than an appliance and comes from different vendors. Gartner analyst Greg Young says host-based intrusion prevention for servers is a mature technology, but he advises companies to hold off for now on deploying it on the desktop.
-- Drew Robb
Five tips for selecting an IPS
Stan Gatewood, chief information security officer at the University of Georgia in Athens, uses IPSs both at the Internet gateway and at several points in his own network. He uses appliances at the gateway scaled to process the more than 2Gbit/sec. that pass through that point.
Gatewood won't disclose which model the university is using for edge protection, other than to say that it comes from either McAfee Inc., TippingPoint or Symantec Corp. -- the three vendors whose products could process that much traffic. Internally, however, Gatewood needs only 100MB of capacity, so he uses several instances of Sleuth9 software from DeepNines Inc. in Dallas on a Sun Microsystems Solaris platform.
Gatewood offers the following five criteria he used to decide which systems to install:
1. Performance. Since an IPS runs in-line, it must be able to analyze all the packets passing through it without overloading. "We needed to make sure that it would stand up to our bandwidth and not disrupt network operations," he says. "You will find that a lot of vendors will fall off once you start talking about traffic in the gigabit range."
2. Blocking algorithms. The systems need to use multiple algorithms -- signatures, behavior and policies -- to block malicious actions.
3. Analytics. It must have some intelligence built in to tell the difference between a normal event and an attack.
4. Reporting. "We must be able to quantify the usage of the IPS and generate both technical and executive reports to show it is indeed working for us," says Gatewood.
5. Interface. It needs to have a graphical user interface and a low learning curve for the IPS administrator. "We absolutely need it to be as intuitive as possible so we can have it up and running and effective as soon as possible," he says.
Gartner analyst Greg Young agrees that performance is the No. 1 criterion when selecting an IPS, but he cautions against making a decision based on a vendor's figures. Instead, a company needs to test in-house to see how it performs against its actual network traffic.
"We see customers getting very different results in terms of latency, throughput and overall IPS function," he says. -- Computerworld (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.