Security customers are not the only ones debating
whether intrusion prevention systems can deliver on their promises
of preventive security - IDS suppliers are also trying to figure
out how to deal with a technology that threatens the core of their
business strategy.
Indeed, the supremacy of IDSs is being tested by security
customers' demands for a faster, more efficient, and proactive form
of intrusion prevention for their networks. Customers are also
experiencing difficulty in discerning between true IPSes (intrusion
prevention systems) and watered-down versions, as well as
considering the complexity of marrying in-line IPS with various
network processes.
But there's no mistaking the attractive glow of intrusion
prevention that works - IT still salivates over the idea of
preventing attacks before they become enterprise-wide disasters,
although they are more cautious about putting too much trust in
security systems that make large promises.
As IPS technology matures, security experts predict that IDS and
firewall protection will eventually become one, IPS appliances will
multiply, and traffic inspection and switch hardware suppliers -
such as Cisco Systems, F5 Networks and Nortel Networks - stand
poised to claim the IPS crown.
Prevention gets the nod
Some analysts, including Gartner, are advising customers to hold
off on making large network IDS investments in favour of
investigating the merits of IPS. For organisations already bound to
IDS investments and drowning in false-positive returns, they should
look to security management suppliers such as ArcSight and
NetForensics to restore control, says John Pescatore, vice
president of Gartner.
"We think IDS is dead. It's failed to provide enterprise value,"
Pescatore says. "In order for it to survive, it has to go faster,
at wire speed, and it has to solve the false-alarm problem."
False alarms - a notorious bane of IDS - can be a troublesome
burden when the lack of internal security expertise and
ever-tightening budgets push security event prioritisation to the
forefront. IPS cuts down on false positives by being in-line,
incorporating methods such as multiple algorithm methodologies
including protocol and packet identification to uncover sudden or
extreme traffic pattern changes (such as in a denial-of-service
attack) or changes against a set policy.
The scramble by security suppliers to institute successful IPS is
buoyed by a number of devastating security breaches and costly
virus cleanups during the past year to 18 months - events that
became the last straw for many customers.
IPS supplier TippingPoint's network-based Unity2000 device,
which searches for an pushes threat profiles to the appliance, on a
trial basis.
TippingPoint'sUnityOne IPS product features a security
processing engine consisting of network packets and capable of
processing all header information in packets at very high speeds.
To stop computer attacks by dropping packets as soon as a threat is
detected, an IPS solution must be part of the network
infrastructure with microsecond latency, says Marc
Willebeek-LeMair, chief tachnology officer of TippingPoint.
"Because IPS has two letters in common with IDS, we're always
thought of as the next generation of that product line, and we're
actually very different," adds Willebeek-LeMair. "[Attacks] are not
just perimeter-based but also internal. IPS is effective when you
can put it into your network fabric and block attacks coming at it
from any direction. It's not just your Wan access point
anymore."
Not all peaches and cream
IPS may be making headlines, but some IDS stalwarts such as
Internet Security Systems (ISS) question the forecasted abandonment
of IDS and customers' need to achieve greater network protection
speeds.
"Just because you put a lock on your front door doesn't mean you
throw out the burglar alarm system," says Chris Klaus, CTO of ISS.
"When you look at what people are connecting to the internet with,
it's nowhere near gigabit."
However, there's no denying that IPS is putting pressure on the IDS
market to take a good look at its own strategies. Klaus says ISS,
for one, is moving from a reactive to a proactive security mantra
through its heavy managed services initiative by keying on servers,
desktops, OS log analysis, and forensics information.
Having been burned before on complicated security projects and
unfulfilled promises of other "silver bullet" security fixes such
as PKI, IPS faces an enormous challenge to win over sceptical
customers, says Lloyd Hession, chief security officer of Radianz, a
financial services extranet. The complexity associated with deeper
inspection and sitting directly in the line of traffic means an IPS
solution can't just be dropped in and plugged in, but must become
yet another element in a potentially congested network.
"The mantle has been passed to new IPS products, but the problem is
the risk of these products, and the downside is they're potentially
dangerous because they are more complex and in-line," Hession
explains. "Once you introduce into a production environment another
single point of failure, a device that is no longer passive, then
the reliability of your whole production environment is potentially
impacted by that device that is in-line."
According to Hession, IPS has not had nearly the amount of time
needed to "work out the kinks" and develop maturity - but neither
has IDS.
"The problem the [security] industry has at the moment is that
these are not integrated enterprise solutions," he adds. "These are
point solutions which are incremental, and have costs that CIOs
(must face). It's a challenge. We can't keep going down the path
with point products."
IDS in the hot seat
Further muddying the IPS waters, Pescatore notes an alarming level
of "snake oil" IPS solutions, in which IDS-oriented suppliers adopt
a new IPS identity that does not properly address IDS'
problems.
For instance, he believes that reducing false alarms is critical
but not at the expense of impeding legitimate traffic. This
requires a security mixture of algorithms, signatures,
behaviour-based methodology, and correlation among other network
areas - a mixture found more often in IPS solutions.
"What we think will happen, by the end of next year, IPS will
really have impacted the firewall and IDS market," Pescatore
remarks. "That's when Cisco would swoop in, maybe a CheckPoint, but
people like Nortel and F5 - even Nokia - will be going after this
market by some real high-end, multigigabit products sold to
carrier-class networks."
In turn, he says IDS suppliers must embrace the dawn of IPS and
morph their offerings into firewall schemes; those who don't accept
IPS are living on borrowing time.
Hession also sees firewalls, IDS, and IPS as complimentary
components of a security strategy; dropping IDS completely would be
a bad idea without a great firewall in place, but the advantages of
IPS mean IDS' role in the enterprise will change.
"If companies go with IPS, is this a replacement for a firewall? My
answer is absolutely not," explains Hession. "Firewalls are tuned
and built and designed to do type of filtering and screening and
access control, IPS and IDS are not."
F5 already envisions itself becoming the control plane of IPS,
allowing customers to block traffic while F5 partners serve as the
interface to communicate with F5's BIG-IP product and become the
control plane of IPS, says Erik Giesa, senior director of product
management at F5.
Meanwhile, Cisco has been much more aggressive about its IPS
intentions, bolstered by the purchase of host-based IPS vendor
Okena earlier this year. Other acquisitions also play into a vision
of converged network and security services: The hardware maker's
purchase of Psionic is designed to reduce false positives and its
scalability push is evidenced by its recent Catalyst IDS module
announcement.
"Our customers have told us for some time that although they
understand intrusion prevention, they don't yet trust the
technology to act autonomously and take actions for them to make
the right decisions on good and bad traffic," explains John
McFarland, manager of security appliances for the VPN and security
business unit at networking giant Cisco.
The benefits of IPS are clear, but its true test will be in living
up to its promise in dealing with real-world security threats. IPS'
home for now is in standalone appliances and products, but the
reactions of IDS suppliers show that IPS's future is likely to
lie in an integrated solution, whether it be an IDS-IPS
combination, a firewall, or another piece of infrastructure.
"What you're asking of [IPS] technology is to sit in the network,
make decisions, and affect packet flow, which are all functions of
a network device," McFarland says. "IPS is not a one-trick pony
game. It's a comprehensive solution."