IPSes Ready for Prime Time

New intrusion prevention systems, which are tuned to drop bad traffic from the network, stand ready to revolutionize network and security management-for lower management costs than their IDS predecessors.

The term "security bulletin" is becoming something of a misnomer, as reports of holes, and of worms and viruses taking advantage of those holes, are becoming part of the daily IT routine. Its not enough to be alerted when problems occur; IT managers must find a way to dump problems before they hit the network.

Enter IPSes (intrusion prevention systems).

IPSes are often built from the same technology base as IDSes (intrusion detection systems), but they differ radically from their forebears.

IDS devices sit on a monitor port and simply report problems. IPS devices, in contrast, operate inline, often at wire speed, and are tuned to drop bad traffic from the network. The emerging IPS market, therefore, will have a far-reaching and significant impact on firewalls and on patch management and anti-virus systems. IPS devices also will blur the line between network and security management as distinct job functions.

/zimages/4/28571.gifFor eWEEK Labs review of TippingPoint Technologies UnityOne-1200, click here.

IPS appliances began appearing in 2002, and they are still relatively pricey—systems sell for as much as $100,000. In addition, most IPS devices must be used in conjunction with a firewall at the perimeter. This means adding not only capital expense but also ongoing management and maintenance costs. However, a high-end IPS product will have a lower overall management cost than an IDS device: While an IPS device takes action, IDS products usually just send an alert to an IT staff person, who must then evaluate the alert and take action.

/zimages/4/28571.gifFor a case study of a company using UnityOne-200 to thwart incoming attacks, click here.

The advances by IPS makers including TippingPoint Technologies Inc., McAfee (a business unit of Network Associates Inc.) and NetScreen Technologies Inc. have been made possible by two things.

One, there have been incredible leaps in the performance of underlying hardware components, such as field-programmable gate arrays and ternary content-addressable memory. Two, the ability of IPSes to detect bad traffic is very advanced—far beyond the signature-based detection that is the hallmark of many IDS tools. IPS tools today can process packet contents, not just the headers, and product designers are getting much better at tracking the state of network connections and thwarting DoS (denial-of-service) attacks by quickly identifying malicious connections.

Even with these advances, IPS devices often fall short of the marketing hype of set-and-forget operation. IPS tools need to be periodically tuned so that good traffic is not inadvertently dumped. This task can be extremely difficult because no two companies are the same, and there is virtually no traffic that is inherently bad or good.

This tuning time will be well worth the effort because each attack that is added to the IPS is traffic that is stopped from reaching a vulnerable system. Although we havent seen a study specifying the cost savings associated with implementing an IPS, we do know that stopping an attack as close to the source as possible reduces remediation and management costs. In particular, a network IPS should be able to eliminate DoS traffic at the perimeter of an organizations network.

IPSes will also give IT staff a little breathing room when it comes to patch management. eWEEK Labs testing and research have shown that an IPS can protect unpatched systems from attack. Of course, systems should still be patched, but an IPS will give IT staff more time to carefully test and schedule patch rollouts.

We think IT managers should look at IPS tools as one emerging, and promising, way to clear junk off the wire while letting other security tools control access to the network.

Next Page: The changing security landscape should be considered.