Both intrusion detection systems and intrusion prevention systems aim to defeat malicious hackers. Each has its benefits. However, small to midsized enterprises will find the market moving toward prevention tools, letting the software serve as a network cop.
Network security is getting trickier by the moment. The zero-day scenario, with events occurring by the time security identifies a signature, is not far off. Thrown into the security breach are IT people at SMEs whose expertise may be in servers or PCs, not security. Meanwhile, the perimeter to be secured has moved well beyond the office network and onto mobile laptops and PDAs.
Intrusion detection and prevention tools have two primary objectives, says Dr. Gary Jackson, president/CEO of Psynapse Technologies: first, to detect network activity that may be harmful or damaging to a network, and second, to prevent actual damage from occurring to a network protected from such devices. “The first type, as the mainstay, is signature detection?an application that has active rules in place designed to identify activity known to be harmful,” Jackson explains. “The second, anomaly detection, is designed to learn the ‘normal’ characteristics or protocols of a network so future monitoring will detect departures from the norm.”
Kip Meacham, director of product management at Senforce Technologies, says the key criticisms leveled against intrusion detection systems are the number of false positives and the copious amount of reporting data generated. “There has been a clear movement away from use of the IDS to IPS, with the focus shifting from detection to prevention,” Meacham says.
Different Approaches
IDS works like airport security. Everyone is examined and many harmless people get diverted for no good reason. These are false positives. We accept that hassle to avoid the disastrous false negatives.
Intrusion prevention systems perform total packet inspection through Layer 7 to block malicious traffic. “Because they are purpose-built hardware, they are capable of switch-like latencies and gigabit throughput,” says Laura Craddick of TippingPoint. “They block worms, viruses, Trojans, denial of service attacks, spyware, and other threats. Some are capable of VoIP security and bandwidth management,” she adds.
IPSes are effective at proactively blocking a broad range of threats, Craddick says. She notes the case of the Zotob worm. University of Washington Medical was preemptively protected from 800,000 Zotob attacks with IPS. “IPSes are the only form of preemptive protection and worm protection,” Craddick says.
Maximum Protection
Jackson says that any tool’s effectiveness is a complex function of the interaction of the effectiveness of the applications used, the degree of skill operating and maintaining the applications, and the organizational security policies serving as the foundation underlying the network protection approach. “The use of multiple, highly effective tools working in concert with effective and skilled network staff is the formula for maximum protection,” Jackson says.
And that formula is capable of achieving a very high standard of protection. Mike Casey, executive vice president at Reflex Security, says, “Given the number of different types of network attacks and the dynamic nature of network security, 99.9% effectiveness is more than acceptable.” The additional cost and the lost productivity (or impracticality) to attempt to achieve greater effectiveness would not be worth the investment, he says.
The Right Tools
SMEs have many vendors and products to choose from to help them attain maximum protection. Psynapse Technologies offers the Checkmate Intrusion Protection System, a proactive appliance that converts network activity to intent in real time to protect against external threat, and the Inmate Misuse Detection System, a derivative of Checkmate that provides network protection from insider threats.
Senforce’s ESS Advanced Firewall uses an NDIS (Network Driver Interface Specification) intermediate miniport driver and stateful packet inspection to detect unsolicited inbound network traffic and discard it immediately after it has arrived at the endpoint’s networking hardware. This heads it off before it enters the network protocol stack, giving no foothold to an unsolicited protocol attack, port scan, or such.
To manage outbound network traffic threats, the Senforce firewall uses TDI (Microsoft’s transport data interface) filtering to control access to the network by controlling which applications and which network protocols are granted access to the network. The ESS Advanced Firewall is a host-based solution, as it resides on the endpoint PC. So, it does not protect the network itself.
DefensePro from Radware is an IPS installed in-line, protecting in real time. The strength of the device depends on the vendor: accuracy of attack signatures and how fast the vendor provides updates for new attacks.
Another option is TippingPoint’s IPS, which comes with a default setting that enables filters to block automatically out of the box with guaranteed accuracy.
The Future
Even with this bevy of tools to combat it, hacking is a dynamic process. Hackers’ skills improve daily as they identify vulnerabilities and develop new, unknown attacks. “Network protection is typically a catching up, reactive process. New proactive tools are emerging, but more time is needed to determine overall effectiveness, particularly with zero-day, or unknown attacks,” Jackson says.
“Firewall and intrusion-prevention systems will begin to blur as firewall vendors attempt to develop deep packet inspection and intrusion-prevention systems leverage their access control technology into full-fledged firewalls,” Casey says. “Next-generation intrusion prevention systems will deliver enhanced versions of their detection and analysis similar to intrusion detection systems. As a result, users should evaluate intrusion prevention systems that can evolve with these threats.”