Variable detection and prevention is only way to let
users in and keep intruders out, says Phil Cracknell
Intrusion detection software (IDS) first made a serious
impression on the European security market in the late 1990s. As
with vulnerability scanning products, how good it was depended on
where it got its database from and how often it was
updated.
IDS then languished for a few years with little variation.
Improvements in alerting, refinements in detecting false positives
and more enterprise scalability were the notable
developments.
Then industry whispers started to question what benefit could be
derived from knowing you had been attacked. It was better than
having no system at all, but surely advanced notification was
better? From this realisation, intrusion prevention software (IPS)
was born.
IDS also faced problems as network switches became more advanced
and more popular. Broadcast traffic ceased and network-based
intrusion detection was now difficult, with port-spanning or
mirroring of traffic the only solution. Host-based IDS was a
simpler and easier to manage option.
IPS faces similar challenges, but progress should be quicker
because the lessons learned from network IDS apply directly to
network IPS.
Last year saw the first systems being developed. A step up from
IDS, IPS presented the same challenges: how was it updated and who
did the research? But of more concern was a new challenge: what if
the IPS blocked a valid user?
Both IDS and IPS technologies present users with implementation,
management and configuration issues. The question is, are they
productive?
When I implemented IDS in 1998 on a live banking internet
connection, it detected more than 100 attacks every day. But on
closer examination 96 of these were false positives caused by a
variety of non-attack communications. The system still faced four
real attacks a day, but replace IDS with IPS and you would deny
access to 96 valid users.
A good IPS would block only what it was absolutely certain was an
attack - and that means allowing suspect but uncertain traffic
through. That could prove to be a management headache - I would
find it hard to convince senior management of the benefits at the
moment.
My vision is for systems to revert to IDS principles for uncertain
attacks and trigger an alert instead. The alert system should
include escalation mechanisms that can intelligently promote
suspect attacks to a higher level of notification or even
prevention.
For clear, sustained attacks, blocking traffic is the order of the
day. But responses are configurable and so suspect traffic can be
delayed, diverted or simply trigger an alert. Variable response
incorporating IDS and IPS is the future, and it has to have a new
name:intrusion management software (IMS). You heard it here
first.
Phil Cracknell is chief technology officer at IT security
supplier NetSurity
