The term “security bulletin” is becoming something of a misnomer, as reports of holes, and of worms and viruses taking advantage of those holes, are becoming part of the daily IT routine. Its not enough to be alerted when problems occur; IT managers must find a way to dump problems before they hit the network.
Enter IPSes (intrusion prevention systems).
IPSes are often built from the same technology base as IDSes (intrusion detection systems), but they differ radically from their forebears.
IDS devices sit on a monitor port and simply report problems. IPS devices, in contrast, operate inline, often at wire speed, and are tuned to drop bad traffic from the network. The emerging IPS market, therefore, will have a far-reaching and significant impact on firewalls and on patch management and anti-virus systems. IPS devices also will blur the line between network and security management as distinct job functions.
IPS appliances began appearing in 2002, and they are still relatively pricey—systems sell for as much as $100,000. In addition, most IPS devices must be used in conjunction with a firewall at the perimeter. This means adding not only capital expense but also ongoing management and maintenance costs. However, a high-end IPS product will have a lower overall management cost than an IDS device: While an IPS device takes action, IDS products usually just send an alert to an IT staff person, who must then evaluate the alert and take action.
The advances by IPS makers including TippingPoint Technologies Inc., McAfee (a business unit of Network Associates Inc.) and NetScreen Technologies Inc. have been made possible by two things.
One, there have been incredible leaps in the performance of underlying hardware components, such as field-programmable gate arrays and ternary content-addressable memory. Two, the ability of IPSes to detect bad traffic is very advanced—far beyond the signature-based detection that is the hallmark of many IDS tools. IPS tools today can process packet contents, not just the headers, and product designers are getting much better at tracking the state of network connections and thwarting DoS (denial-of-service) attacks by quickly identifying malicious connections.
Even with these advances, IPS devices often fall short of the marketing hype of set-and-forget operation. IPS tools need to be periodically tuned so that good traffic is not inadvertently dumped. This task can be extremely difficult because no two companies are the same, and there is virtually no traffic that is inherently bad or good.
This tuning time will be well worth the effort because each attack that is added to the IPS is traffic that is stopped from reaching a vulnerable system. Although we havent seen a study specifying the cost savings associated with implementing an IPS, we do know that stopping an attack as close to the source as possible reduces remediation and management costs. In particular, a network IPS should be able to eliminate DoS traffic at the perimeter of an organizations network.
IPSes will also give IT staff a little breathing room when it comes to patch management. eWEEK Labs testing and research have shown that an IPS can protect unpatched systems from attack. Of course, systems should still be patched, but an IPS will give IT staff more time to carefully test and schedule patch rollouts.
We think IT managers should look at IPS tools as one emerging, and promising, way to clear junk off the wire while letting other security tools control access to the network.
We also recommend that it managers take a long, hard look at the changing security landscape.
Security policy setting is likely to move up the food chain, with day-to-day security operations merging into the general IT department. Management tools that govern IPS devices are just as important as the “speeds and feeds” capabilities of the devices themselves.
The ability to securely distribute an update to IPS devices scattered throughout the enterprise, especially as the devices gain specialized protection features, will often depend on whether the IPS is installed at the network perimeter or inside the data center.
One of the most basic questions that must be answered before evaluating an IPS is how much traffic is on the network, both at the perimeter and in the data center. Most IPS makers offer a family of products for meeting a variety of needs, including devices with multigigabit speeds for data center use.
Another factor that IT managers should consider before evaluating an IPS is the amount of change likely to occur in the network, especially changes in traffic types. The more that traffic types change, the more difficult it will be to effectively implement an IPS.
Most security systems, from firewalls to VPNs, work better when network change is restricted. However, this holds especially true for IPSes: Because traffic filters must be changed when traffic is added to the network, an IPS could become a roadblock to fast network changes.
Even so, we think network IPSes will have a positive impact on network security and ultimately make IT management easier.
Senior Analyst Cameron Sturdevant can be contacted at firstname.lastname@example.org.