We caught up with security and IPS expert Clarence Morey of IBM Internet Security Systems on the differences between IPS vs. IDS, the advantages of hosted vs. network IPS, the problem of false positives and other challenges of intrusion prevention for business.
In the simplest of terms, intrusion prevention means keeping the “bad guys” out of a corporate network. Intrusion prevention system (IPS) technology inspects Internet traffic flowing into and through an organization and actively blocks malicious content before it impacts business. IPS technology can be either network-based or host-based. With the right products and deployment, it can help organizations preserve network availability, reduce the burden on IT resources and prevent security breaches.
How aware are organizations now of network and systems intrusion? If they are aware, do they generally understand the extent of the problem?
With the recent explosion in the sophistication of online attacks, including the evolution of phishing, bots, spyware, rootkits and other forms of malware, IT security has become top-of-mind for most organizations that rely on the Internet to conduct business. While the extent of the problem is generally understood, many companies struggle with the fact that effective security solutions are often complex, confusing and cost-prohibitive. The average enterprise has over 32 security vendors!
Is intrusion prevention of equal concern to every business? Should a small business of just a few employees be as worried about it as a large enterprise? Is there any level at which the ROI does not make sense?
In this day and age, any company that relies on the Internet to conduct business, and that houses confidential data of any kind (customer information, financials, credit card numbers, business plans, etc.) should be concerned about intrusion prevention. Online attacks are not limited to large corporations. As long as money can be made by breaking into a network, it will eventually attract the attention of hackers. With this fact in mind, many security vendors are now offering lower-cost IPS options specifically tailored for small- to medium-sized businesses (in addition to more robust systems for enterprises).
How often is intrusion prevention mistaken for intrusion detection? And why, in fact, can’t IDS plus a firewall be made to work as an IPS? What are the differences between the two?
Most security and IT professionals now understand the differences between the two technologies. IPS technology goes deeper than a firewall because it blocks or allows traffic based on application content rather than IP addresses or ports. Additionally, unlike IDS technologies, IPS products are designed to sit inline with traffic flows and prevent attacks in real-time, as opposed to passively monitoring and alerting organizations to malicious traffic. For these reasons, an IDS product coupled with a firewall does not equate to IPS.
What’s the difference between a host IPS and a network IPS? Is it a case that businesses can use either one of them, or is one preferable to the other in certain cases, and what are those? Are there any situations when it might be best to have both?
While a network-based IPS product resides on a single point on the network and is designed to protect all hosts connected to the network, a host-based IPS product resides on a specific IP address such as a PC or server. Network- and host-based IPS technologies are complementary, and it is recommended that companies use a combination of both. This way, the organization is using a defense-in-depth methodology to provide multiple barricades for stopping malicious attacks, therefore achieving more comprehensive, multi-layered protection.
What are some of the challenges involved in deploying an IPS? Is it a plug-and play technology, or are there things that a business has to do to make it work to its best potential? Does putting an IDS in place alter the way a network or system operates, and if so what actions should the user take to make sure everything works well together?
A good IDS or IPS product should be simple to deploy, requiring no reconfiguration of the network. While IDS operates in a passive state, IPS is deployed inline. This difference is significant since an IPS device is capable of blocking traffic. The IBM ISS intrusion prevention product is the only intrusion prevention system available with an inline simulation mode, giving organizations the ability to determine blocking behavior before actually activating blocking. Companies like IBM ISS also have professional security services teams that can assist companies with designing and deploying the security solution that best fits their needs.
Can an IPS produce the same number of false positives that an IDS does? If not, why not? If it is capable of those false positives, what does a user have to do to reduce or eliminate them?
An IPS product should not block legitimate traffic by mistake. Accuracy is a frequently cited concern for companies deploying IPS products and services, and one that should be carefully evaluated when selecting an IPS vendor.
How does an IPS fit into the overall security scheme? Is it a replacement for other systems and devices, such as a firewall or an IDS? Or is it a complementary technology that necessarily works in concert with other technologies? Is there a “perfect” way to deploy an IPS?
Since IPS is essentially the next generation of IDS, it is a replacement for that technology. Companies normally either choose to have their network traffic passively monitored with IDS, or they choose to have “bad” traffic actively blocked with IPS. However, beyond that, IPS should make up one piece of an organization’s comprehensive security strategy, complementing other technologies such as a firewall. Again, it is recommended that companies deploy a multi-layered approach consisting of various security technologies to better ensure that attacks do not penetrate their infrastructure.
How do you think intrusion protection will evolve? Will the nature of intrusions stay the same, for example, but just increase the rate at which they occur? Or do you think there could be a substantial change in what IPS will be called on to detect and manage in the future?
The nature of online attacks is evolving as we speak. In general, they are becoming more sophisticated, designer and stealth in nature. Instead of launching widespread Internet worms for notoriety, attackers are increasingly turning to more targeted means of network infiltration through which they can obtain a profit. Whether it’s through building bot networks to blast out spam, stealing confidential information off of computers or taking a corporation’s data hostage in return for ransom, online criminals are becoming more and more creative every day. IPS technology must therefore be able to adapt to protect against both traditional threats and emerging threats. Solutions that rely on signature updates to block every single new attack will soon become irrelevant as attackers develop news ways to penetrate networks on a daily basis. Instead, IPS technology must be developed to be more extensible and deal with entire classes of threats without relying on signature updates.Considering that the IPS investment a business makes now will last for some time, what are the best-of-breed features that a buyer should consider when weighing that investment?
When evaluating IPS technologies, companies need to balance and maximize the following six key areas:
Performance: The ability to act transparently in the network environment and introduce a minimal amount of latency to network traffic.
Security: An effective intrusion prevention system will employ a combination of multiple analysis and detection methodologies including protocol analysis, heuristics, RFC compliance, TCP reassembly, statistical analysis and pattern matching. Using multiple analysis and identification methods will also diminish the number of false positives and false negatives.
Reliability: Devices placed in the flow of network traffic must be extremely reliable. They require features such as high availability and hot-swappable, redundant power supplies and hard drives to ensure that network traffic is maintained.
Deployment: Deployment of IPS products should be simple and flexible, and should not require network reconfiguration.
Management: Management of an IPS device should also be simple and intuitive, providing flexible options for reporting, analysis and alerting. Companies also need to consider how the product will integrate with the other components of their network infrastructure.
Confidence: The vendor behind the IPS solution is also a key consideration. In addition to a robust and comprehensive IPS technology, it is critical that companies look for a vendor with a strong, proven industry track record, including long-standing, successful customer deployments, technology leadership and recognition, as well as industry certifications and a formal, proven customer support program.
For IPS technology to truly deliver protection that enhances operations and reduces overall risk, it must address all six of these components. This uncompromising protection not only assures that threats are blocked before they impact the network, but also maximizes network uptime, minimizes the need for active involvement in security events, reduces total cost of ownership and assists with regulatory compliance.
What other observations or suggestions to do you have?
Reactive technologies are not capable of keeping up with the ever-morphing forms of malware on the Internet. In order to truly stay protected, organizations should seek out an IPS solution that is preemptive, that does not rely on signature updates to fend off each individual attack but rather adapts to block entire classes of threats, both traditional and emerging.