Intrusion Protection Needs Balance

Protection needs to be balanced with the costs of keeping the IPS up-to-date with signatures and technology improvements.

Network-based intrusion prevention systems are coming into bloom. This is good news for IT professionals, who should consider deploying them in addition to—not instead of—deep-inspection firewalls, particularly if their companies have many remote users.

Because corporations today rely almost exclusively on the Internet and TCP/IP to communicate, they are subject to a range of assaults, including denial-of-service attacks, SYN floods and exploits designed to access such confidential data as credit card numbers and e-mail addresses.

IPS devices detect harmful or unwanted traffic and act to shut down access to network resources. They should be used not only with firewalls but also with such traditional defense systems as anti-virus and anti-spam filters, and traffic-rate-shaping tools.

Currently, Im testing the wares of several IPS vendors at eWEEK Labs. TippingPoint Technologies, Network Associates, NetScreen Technologies and Top Layer Networks have all released recently, or will soon release, new products. The products we are looking at provide log files that can be audited to show due diligence attempts to protect data from unauthorized access. This is important because regulations in HIPAA, Graham-Leach-Bliley and CAN-SPAM laws make some level of security auditing a requirement for businesses.

We know that IPS systems that deal with encrypted traffic, such as that traveling in a VPN tunnel or via HTTPS, restrain network speed. From analysis Ive done with intrusion detection systems—the progenitors of IPS—I know that vendors are driving performance close to wire speed. Even so, the performance hit—especially with the complex rules and signatures likely to be needed to protect networks from advancing attack technologies—is a vital characteristic to measure.

One area that IT managers should be particularly interested in is how well an IPS can decrypt traffic tunneling in from the outside to make sure its legitimate. Because employees commonly access corporate network resources over a VPN tunnel, the increasingly porous nature of the network perimeter is a real concern. Putting enough horsepower in the IPS to handle high volumes of encrypted traffic—-along with the management capabilities to ensure that access to the IPS is monitored and protected—are important factors in our testing.

Putting an IPS in place will hike network operation expenses. The best systems will lower these costs by reducing the need for human intervention.

People, however, are important, both those who work at the software vendor and those who strive to protect corporate systems. An IPS is far from a commodity product, and the specialized knowledge of scientists and engineers behind the products is a vital consideration when rating an IPS. Since there is a significant number of clever human beings behind many network attacks, the speed with which an IPS can adapt is a key performance measure. Even with an IPS, IT managers will miss some attacks.


Next page: A Layered Approach