IPSes Ready for Prime Time

By Cameron Sturdevant  |  Posted 2004-03-29 Print this article Print

New intrusion prevention systems, which are tuned to drop bad traffic from the network, stand ready to revolutionize network and security management—for lower management costs than their IDS predecessors.

The term "security bulletin" is becoming something of a misnomer, as reports of holes, and of worms and viruses taking advantage of those holes, are becoming part of the daily IT routine. Its not enough to be alerted when problems occur; IT managers must find a way to dump problems before they hit the network.

Enter IPSes (intrusion prevention systems).

IPSes are often built from the same technology base as IDSes (intrusion detection systems), but they differ radically from their forebears.

IDS devices sit on a monitor port and simply report problems. IPS devices, in contrast, operate inline, often at wire speed, and are tuned to drop bad traffic from the network. The emerging IPS market, therefore, will have a far-reaching and significant impact on firewalls and on patch management and anti-virus systems. IPS devices also will blur the line between network and security management as distinct job functions.

For eWEEK Labs review of TippingPoint Technologies UnityOne-1200, click here. IPS appliances began appearing in 2002, and they are still relatively pricey—systems sell for as much as $100,000. In addition, most IPS devices must be used in conjunction with a firewall at the perimeter. This means adding not only capital expense but also ongoing management and maintenance costs. However, a high-end IPS product will have a lower overall management cost than an IDS device: While an IPS device takes action, IDS products usually just send an alert to an IT staff person, who must then evaluate the alert and take action.

For a case study of a company using UnityOne-200 to thwart incoming attacks, click here. The advances by IPS makers including TippingPoint Technologies Inc., McAfee (a business unit of Network Associates Inc.) and NetScreen Technologies Inc. have been made possible by two things.

One, there have been incredible leaps in the performance of underlying hardware components, such as field-programmable gate arrays and ternary content-addressable memory. Two, the ability of IPSes to detect bad traffic is very advanced—far beyond the signature-based detection that is the hallmark of many IDS tools. IPS tools today can process packet contents, not just the headers, and product designers are getting much better at tracking the state of network connections and thwarting DoS (denial-of-service) attacks by quickly identifying malicious connections.

Even with these advances, IPS devices often fall short of the marketing hype of set-and-forget operation. IPS tools need to be periodically tuned so that good traffic is not inadvertently dumped. This task can be extremely difficult because no two companies are the same, and there is virtually no traffic that is inherently bad or good.

This tuning time will be well worth the effort because each attack that is added to the IPS is traffic that is stopped from reaching a vulnerable system. Although we havent seen a study specifying the cost savings associated with implementing an IPS, we do know that stopping an attack as close to the source as possible reduces remediation and management costs. In particular, a network IPS should be able to eliminate DoS traffic at the perimeter of an organizations network.

IPSes will also give IT staff a little breathing room when it comes to patch management. eWEEK Labs testing and research have shown that an IPS can protect unpatched systems from attack. Of course, systems should still be patched, but an IPS will give IT staff more time to carefully test and schedule patch rollouts.

We think IT managers should look at IPS tools as one emerging, and promising, way to clear junk off the wire while letting other security tools control access to the network.

Next Page: The changing security landscape should be considered.

Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel