Intrusion detection systems: Can the suppliers deliver on their promises?

Security customers are not the only ones debating whether intrusion prevention systems can deliver on their promises of...

Security customers are not the only ones debating whether intrusion prevention systems can deliver on their promises of preventive security - intrusion detection system (IDS) suppliers are also trying to figure out how to deal with a technology that threatens the core of their business strategy.

Indeed, the supremacy of IDSs is being tested by security customers' demands for a faster, more efficient, and proactive form of intrusion prevention for their networks. Customers are also experiencing difficulty in discerning between true IPSes (intrusion prevention systems) and watered-down versions, as well as considering the complexity of marrying in-line IPS with various network processes.

But there's no mistaking the attractive glow of intrusion prevention that works - IT still salivates over the idea of preventing attacks before they become enterprise-wide disasters, although they are more cautious about putting too much trust in security systems that make large promises.

As IPS technology matures, security experts predict that IDS and firewall protection will eventually become one, IPS appliances will multiply, and traffic inspection and switch hardware suppliers - such as Cisco Systems, F5 Networks and Nortel Networks - stand poised to claim the IPS crown.

Prevention gets the nod

Some analysts, including Gartner, are advising customers to hold off on making large network IDS investments in favour of investigating the merits of IPS. For organisations already bound to IDS investments and drowning in false-positive returns, they should look to security management suppliers such as ArcSight and NetForensics to restore control, says John Pescatore, vice president of Gartner.

"We think IDS is dead. It's failed to provide enterprise value," Pescatore says. "In order for it to survive, it has to go faster, at wire speed, and it has to solve the false-alarm problem."

False alarms - a notorious bane of IDS - can be a troublesome burden when the lack of internal security expertise and ever-tightening budgets push security event prioritisation to the forefront. IPS cuts down on false positives by being in-line, incorporating methods such as multiple algorithm methodologies including protocol and packet identification to uncover sudden or extreme traffic pattern changes (such as in a denial-of-service attack) or changes against a set policy.

The scramble by security suppliers to institute successful IPS is buoyed by a number of devastating security breaches and costly virus cleanups during the past year to 18 months - events that became the last straw for many customers.

IPS supplier TippingPoint's network-based Unity2000 device, which searches for an pushes threat profiles to the appliance, on a trial basis.

TippingPoint'sUnityOne IPS product features a security processing engine consisting of network packets and capable of processing all header information in packets at very high speeds. To stop computer attacks by dropping packets as soon as a threat is detected, an IPS solution must be part of the network infrastructure with microsecond latency, says Marc Willebeek-LeMair, chief tachnology officer of TippingPoint.

"Because IPS has two letters in common with IDS, we're always thought of as the next generation of that product line, and we're actually very different," adds Willebeek-LeMair. "[Attacks] are not just perimeter-based but also internal. IPS is effective when you can put it into your network fabric and block attacks coming at it from any direction. It's not just your Wan access point anymore."

Not all peaches and cream

IPS may be making headlines, but some IDS stalwarts such as Internet Security Systems (ISS) question the forecasted abandonment of IDS and customers' need to achieve greater network protection speeds.

"Just because you put a lock on your front door doesn't mean you throw out the burglar alarm system," says Chris Klaus, CTO of ISS. "When you look at what people are connecting to the internet with, it's nowhere near gigabit."

However, there's no denying that IPS is putting pressure on the IDS market to take a good look at its own strategies. Klaus says ISS, for one, is moving from a reactive to a proactive security mantra through its heavy managed services initiative by keying on servers, desktops, OS log analysis, and forensics information.

Having been burned before on complicated security projects and unfulfilled promises of other "silver bullet" security fixes such as PKI, IPS faces an enormous challenge to win over sceptical customers, says Lloyd Hession, chief security officer of Radianz, a financial services extranet. The complexity associated with deeper inspection and sitting directly in the line of traffic means an IPS solution can't just be dropped in and plugged in, but must become yet another element in a potentially congested network.

"The mantle has been passed to new IPS products, but the problem is the risk of these products, and the downside is they're potentially dangerous because they are more complex and in-line," Hession explains. "Once you introduce into a production environment another single point of failure, a device that is no longer passive, then the reliability of your whole production environment is potentially impacted by that device that is in-line."

According to Hession, IPS has not had nearly the amount of time needed to "work out the kinks" and develop maturity - but neither has IDS.

"The problem the [security] industry has at the moment is that these are not integrated enterprise solutions," he adds. "These are point solutions which are incremental, and have costs that CIOs (must face). It's a challenge. We can't keep going down the path with point products."

IDS in the hot seat

Further muddying the IPS waters, Pescatore notes an alarming level of "snake oil" IPS solutions, in which IDS-oriented suppliers adopt a new IPS identity that does not properly address IDS' problems.

For instance, he believes that reducing false alarms is critical but not at the expense of impeding legitimate traffic. This requires a security mixture of algorithms, signatures, behaviour-based methodology, and correlation among other network areas - a mixture found more often in IPS solutions.

"What we think will happen, by the end of next year, IPS will really have impacted the firewall and IDS market," Pescatore remarks. "That's when Cisco would swoop in, maybe a CheckPoint, but people like Nortel and F5 - even Nokia - will be going after this market by some real high-end, multigigabit products sold to carrier-class networks."

In turn, he says IDS suppliers must embrace the dawn of IPS and morph their offerings into firewall schemes; those who don't accept IPS are living on borrowing time.

Hession also sees firewalls, IDS, and IPS as complimentary components of a security strategy; dropping IDS completely would be a bad idea without a great firewall in place, but the advantages of IPS mean IDS' role in the enterprise will change.

"If companies go with IPS, is this a replacement for a firewall? My answer is absolutely not," explains Hession. "Firewalls are tuned and built and designed to do type of filtering and screening and access control, IPS and IDS are not."

F5 already envisions itself becoming the control plane of IPS, allowing customers to block traffic while F5 partners serve as the interface to communicate with F5's BIG-IP product and become the control plane of IPS, says Erik Giesa, senior director of product management at F5.

Meanwhile, Cisco has been much more aggressive about its IPS intentions, bolstered by the purchase of host-based IPS vendor Okena earlier this year. Other acquisitions also play into a vision of converged network and security services: The hardware maker's purchase of Psionic is designed to reduce false positives and its scalability push is evidenced by its recent Catalyst IDS module announcement.

"Our customers have told us for some time that although they understand intrusion prevention, they don't yet trust the technology to act autonomously and take actions for them to make the right decisions on good and bad traffic," explains John McFarland, manager of security appliances for the VPN and security business unit at networking giant Cisco.

The benefits of IPS are clear, but its true test will be in living up to its promise in dealing with real-world security threats. IPS' home for now is in standalone appliances and products, but the reactions of IDS suppliers show that IPS's future is likely to lie in an integrated solution, whether it be an IDS-IPS combination, a firewall, or another piece of infrastructure.

"What you're asking of [IPS] technology is to sit in the network, make decisions, and affect packet flow, which are all functions of a network device," McFarland says. "IPS is not a one-trick pony game. It's a comprehensive solution."

Read more on Hackers and cybercrime prevention