Home
About Us
Cyber Security
Press Releases
Events
Subscriptions
Contact Us
Community
Features
Innovations
Vendor Guide
Business & Tech
Marketwatch
Telebriefing
Conferences
Publishing
IPS Institute
Intrusion Editorial

Telebriefing

IntrusionOnline’s telebriefing is where you get expert opinions on the hottest topics from the best minds in the industry today for free.

 

We caught up with security and IPS expert Clarence Morey of IBM Internet Security Systems on the differences between IPS vs. IDS, the advantages of hosted vs. network IPS, the problem of false positives and other challenges of intrusion prevention for business.

"The State of the Art in IPS"

A telebriefing with security expert Clarence Morey of IBM Internet Security Systems.

How do you define intrusion prevention?

In the simplest of terms, intrusion prevention means keeping the “bad guys” out of a corporate network. Intrusion prevention system (IPS) technology inspects Internet traffic flowing into and through an organization and actively blocks malicious content before it impacts business. IPS technology can be either network-based or host-based. With the right products and deployment, it can help organizations preserve network availability, reduce the burden on IT resources and prevent security breaches.

How aware are organizations now of network and systems intrusion? If they are aware, do they generally understand the extent of the problem?

With the recent explosion in the sophistication of online attacks, including the evolution of phishing, bots, spyware, rootkits and other forms of malware, IT security has become top-of-mind for most organizations that rely on the Internet to conduct business. While the extent of the problem is generally understood, many companies struggle with the fact that effective security solutions are often complex, confusing and cost-prohibitive. The average enterprise has over 32 security vendors!

Is intrusion prevention of equal concern to every business? Should a small business of just a few employees be as worried about it as a large enterprise? Is there any level at which the ROI does not make sense?

In this day and age, any company that relies on the Internet to conduct business, and that houses confidential data of any kind (customer information, financials, credit card numbers, business plans, etc.) should be concerned about intrusion prevention. Online attacks are not limited to large corporations. As long as money can be made by breaking into a network, it will eventually attract the attention of hackers. With this fact in mind, many security vendors are now offering lower-cost IPS options specifically tailored for small- to medium-sized businesses (in addition to more robust systems for enterprises).

How often is intrusion prevention mistaken for intrusion detection? And why, in fact, can’t IDS plus a firewall be made to work as an IPS? What are the differences between the two?

Most security and IT professionals now understand the differences between the two technologies. IPS technology goes deeper than a firewall because it blocks or allows traffic based on application content rather than IP addresses or ports. Additionally, unlike IDS technologies, IPS products are designed to sit inline with traffic flows and prevent attacks in real-time, as opposed to passively monitoring and alerting organizations to malicious traffic. For these reasons, an IDS product coupled with a firewall does not equate to IPS.

What’s the difference between a host IPS and a network IPS? Is it a case that businesses can use either one of them, or is one preferable to the other in certain cases, and what are those? Are there any situations when it might be best to have both?

While a network-based IPS product resides on a single point on the network and is designed to protect all hosts connected to the network, a host-based IPS product resides on a specific IP address such as a PC or server. Network- and host-based IPS technologies are complementary, and it is recommended that companies use a combination of both. This way, the organization is using a defense-in-depth methodology to provide multiple barricades for stopping malicious attacks, therefore achieving more comprehensive, multilayered protection.

What are some of the challenges involved in deploying an IPS? Is it a plug-and play technology, or are there things that a business has to do to make it work to its best potential? Does putting an IDS in place alter the way a network or system operates, and if so what actions should the user take to make sure everything works well together?

A good IDS or IPS product should be simple to deploy, requiring no reconfiguration of the network. While IDS operates in a passive state, IPS is deployed inline. This difference is significant since an IPS device is capable of blocking traffic. The IBM ISS intrusion prevention product is the only intrusion prevention system available with an inline simulation mode, giving organizations the ability to determine blocking behavior before actually activating blocking. Companies like IBM ISS also have professional security services teams that can assist companies with designing and deploying the security solution that best fits their needs.

Can an IPS produce the same number of false positives that an IDS does? If not, why not? If it is capable of those false positives, what does a user have to do to reduce or eliminate them?

An IPS product should not block legitimate traffic by mistake. Accuracy is a frequently cited concern for companies deploying IPS products and services, and one that should be carefully evaluated when selecting an IPS vendor.

How does an IPS fit into the overall security scheme? Is it a replacement for other systems and devices, such as a firewall or an IDS? Or is it a complementary technology that necessarily works in concert with other technologies? Is there a “perfect” way to deploy an IPS?

Since IPS is essentially the next generation of IDS, it is a replacement for that technology. Companies normally either choose to have their network traffic passively monitored with IDS, or they choose to have “bad” traffic actively blocked with IPS. However, beyond that, IPS should make up one piece of an organization’s comprehensive security strategy, complementing other technologies such as a firewall. Again, it is recommended that companies deploy a multi-layered approach consisting of various security technologies to better ensure that attacks do not penetrate their infrastructure.

How do you think intrusion protection will evolve? Will the nature of intrusions stay the same, for example, but just increase the rate at which they occur? Or do you think there could be a substantial change in what IPS will be called on to detect and manage in the future?

The nature of online attacks is evolving as we speak. In general, they are becoming more sophisticated, designer and stealth in nature. Instead of launching widespread Internet worms for notoriety, attackers are increasingly turning to more targeted means of network infiltration through which they can obtain a profit. Whether it’s through building bot networks to blast out spam, stealing confidential information off of computers or taking a corporation’s data hostage in return for ransom, online criminals are becoming more and more creative every day. IPS technology must therefore be able to adapt to protect against both traditional threats and emerging threats. Solutions that rely on signature updates to block every single new attack will soon become irrelevant as attackers develop news ways to penetrate networks on a daily basis. Instead, IPS technology must be developed to be more extensible and deal with entire classes of threats without relying on signature updates.

Considering that the IPS investment a business makes now will last for some time, what are the best-of-breed features that a buyer should consider when weighing that investment?

When evaluating IPS technologies, companies need to balance and maximize the following six key areas:
Performance: The ability to act transparently in the network environment and introduce a minimal amount of latency to network traffic.
Security: An effective intrusion prevention system will employ a combination of multiple analysis and detection methodologies including protocol analysis, heuristics, RFC compliance, TCP reassembly, statistical analysis and pattern matching. Using multiple analysis and identification methods will also diminish the number of false positives and false negatives.
Reliability: Devices placed in the flow of network traffic must be extremely reliable. They require features such as high availability and hot-swappable, redundant power supplies and hard drives to ensure that network traffic is maintained.
Deployment: Deployment of IPS products should be simple and flexible, and should not require network reconfiguration.
Management: Management of an IPS device should also be simple and intuitive, providing flexible options for reporting, analysis and alerting. Companies also need to consider how the product will integrate with the other components of their network infrastructure.
Confidence: The vendor behind the IPS solution is also a key consideration. In addition to a robust and comprehensive IPS technology, it is critical that companies look for a vendor with a strong, proven industry track record, including long-standing, successful customer deployments, technology leadership and recognition, as well as industry certifications and a formal, proven customer support program.

For IPS technology to truly deliver protection that enhances operations and reduces overall risk, it must address all six of these components. This uncompromising protection not only assures that threats are blocked before they impact the network, but also maximizes network uptime, minimizes the need for active involvement in security events, reduces total cost of ownership and assists with regulatory compliance.

What other observations or suggestions to do you have?

Reactive technologies are not capable of keeping up with the ever-morphing forms of malware on the Internet. In order to truly stay protected, organizations should seek out an IPS solution that is preemptive, that does not rely on signature updates to fend off each individual attack but rather adapts to block entire classes of threats, both traditional and emerging.

Andre Yee, a distinguished veteran of the IDS/IPS marketplace shares his views on the state of the IPS industry, acquisitions, etc.


Andre Yee
Former President and Chief Executive Officer, NFR (acquired by Check Point)

On the current state of the Intrusion Prevention Industry.

I think that the Intrusion Prevention space is a mature area of security and that when that happens, it's ripe for a disruptive wave of new technologies. It's currently uninteresting from a technology perspective but on the other hand, there are lots of opportunities for innovation in the overall security space.

On whether Network Access Control (NAC) be treated as a separate field or be integrated into the IDS/IPS Industry.

You know the saying "to a hammer, everything looks like a nail"? If IDS/IPS is the framework for how you look at security, it makes sense for every incremental technology to be folded in...it's a problem that firewall vendors had a few years back when they view the world from a firewall centric perspective. I think NAC can be a separate field or part of IDS/IPS - either way, it's just a matter of perspective. The important thing is to understand how security needs to change in its delivery and usage model.

On the health of the recent mergers and acquisitions (e.g. IBM’s acquisition of ISS) in the IDS/IPS industry.

I don't know if its healthy or not - it is, what it is. I think IDS/IPS is a mature space and it's hard for any independent IPS company to thrive in this environment.

On whether IPS vendors are up to the challenges of the ever evolving mobile computing enterprise networks.

I'm not sure that I can answer that question but I do know that doing IPS the way it's done today is the NOT answer.

IntrusionOnline’s August 2007 Telebriefing Wireless Security:

“The Best is yet to come!”

For more information, email us at telebriefing@intrusiononline.net or call us at (301) 583-4629 to reserve a space.

 

Today, wireless technology has advanced in addressing security concerns, not by choice, but by necessity to conform to management requirements, feature needs, compliance standards, to comply with policies, and to address security audits and auditor requirements. As this may be acceptable for today’s standards, it begs the question of “What will the future bring for wireless security?”, or more accurately, “What will the requirements be for a technology that traverses physical boundaries, is difficult to detect, and can be installed and maintained in obscure places on my enterprise?”. These are my predictions for wireless, as tire manufacturers state, “mileage may vary based on performance, and other considerations”.

In this telebriefing, Andrew Berkuta shares his predictions for wireless IPS technologies in the years ahead. CLICK HERE TO READ THIS TELEBRIEFING.

For more information, email us at telebriefing@intrusiononline.net or call us at (301) 583-4629 to reserve a space.

Online Advertising Opportunities

IntrusionOnline offers text links, text boxes, sector, email newsletter, vendor directory listings sponsorships as well as most of the popular Interactive Marketing Units (IMU) used on the Internet; buttons, banners and skyscrapers. You may also work with an advertising representative to craft a unique lead generation program on our site.

Please send advertising inquiries to:
adsales@IntrusionOnline.net

Home    About Us    Cyber Security   Press Releases     Events    Contact Us

Copyright 2009 © Unatek Inc., All Rights Reserved.