Intrusion issue

Despite rumours of its demise intrusion detection systems are alive and kicking. The technology has survived as it fulfils an important piece in the security puzzle, despite its limitations and the emergence of more proactive technologies.

  • E-Mail
By  Simon Duddy Published  September 23, 2004

|~|Tobias-Christen-stonesoft_m.jpg|~|“IPS is extending into antivirus, with IPS targeting worms, and antivirus companies are building IPS functionality into antivirus products.” Tobias Christen, CTO, Stonesoft|~|Research firm Gartner famously wrote off intrusion detection systems (IDS) in a 2003 report, saying the technology would fail to provide value for its cost and would be obsolete by 2005. However, IDS still plays an important part in many companies security offerings despite an increasing emphasis on intrusion prevention systems (IPS) and looks like continuing well beyond 2005. “IPS won’t take over from IDS in the short or medium term. There will always be a demand for companies who just want to monitor and report,” says Tom Scholtz, vice president of security & risk strategies for Meta Group. “There is demand for both at the moment and although there is convergence between the two this will remain the case,” he adds. To understand why IDS has survived it is necessary to clearly define the term and its close relative IPS. IDS technology works outside the network searching for pre-defined patterns that could indicate that the network is being attacked. Importantly, IDS responds to these issues by creating a report, which must be analysed by network or security staff before a counter measure can be taken. IPS works in a similar way but with some important differences. For instance, IPS is an inline technology that works inside the network. It also uses different detection methods to IDS. IDS typically uses a black list approach, which raises alerts about pre-identified dangers. IPS uses a white list approach that analyses normal traffic and looks for anything that deviates from the accepted pattern. It also works proactively, so it automatically prevents suspect traffic from entering the enterprise. However, the two systems also have a lot in common. “An IPS has, by definition some IDS. If you don’t have the radar you can’t launch the missile,” says Peter Kwisthout, territory manager, McAfee. The manual element of intrusion detection systems has been the most controversial aspect of the technology. The first problem this causes is with reaction speed. With fast propagating attacks now common, the time window network administrators have to spot and react to IDS alerts is minimal. With staff wading through many superfluous alerts to get to those that actually matter, fast moving attacks can infiltrate and wreak havoc before IDS can stop them. A good example of this is the Slammer worm, which infected PCs across the internet in January 2003. Slammer doubled the number of machines it infected every 8.5 seconds. Within 10 minutes, Slammer had infected 90% of the hosts it was capable of infecting, including at least 75,000 systems worldwide. Obviously even a very efficient IDS system is ill equipped to react to such a fast spreading danger. Another drawback that has rankled with network administrator staff is the amount of work IDS systems tend to generate. With an IDS safety net in place companies tend to set wide ranging parameters for what constitutes a threat. While this generally proves effective in identifying problems, it also generates massive numbers of false positives. The volume of alerts can be such that employees spend so much time responding to them and tuning the IDS engine that they don’t have time to work on other tasks. These drawbacks led to the evolution of IPS, as it removes the manual input and goes inline to meet the threat head on. True, IPS systems still have to be tuned to be effective and this takes a certain amount of staff time, but the lack of on-going reports frees up staff to tackle other issues on the network and, importantly, gives an immediate and automatic counter-action to threats. According to a 2003 Yankee Group report, the intrusion prevention market is expanding fast. The research firm predicts that it will grow from being worth US$62 million in 2002 to US$520 million by 2007. This represents a compound annual growth rate (CAGR) of 52.7% and much of this growth is taking place in the Middle East enterprise market. IPS technology is also spreading from its inline network heartland to include technology that is being built into client-side solutions. Vendors such as Sygate and McAfee are building IPS tools into desktop security suites alongside more familiar fare such as antivirus, firewall and anti-spyware tools. “IPS is extending into antivirus, with IPS targeting worms, and antivirus companies are building IPS functionality into antivirus products,” confirms Tobias Christen, chief technology officer (CTO), Stonesoft. IPS itself has its drawbacks, however. As a proactive solution it is imperative that its detection patterns are tuned accurately. In reality, this is impossible to get completely right and so IPS systems run the risk of generating false rejections. For companies with mission critical information flowing in and out of the company, falsely rejected traffic can be as damaging as attacks. An e-mail containing the confirmation of a million dollar deal that is rejected because of an unfamiliar attachment can have serious repercussions for a company. “It’s a balancing act between IDS, which typically creates work through lots of false positives, and IPS, which might lead to loss of vital information for the company by a falsely deleting an e-mail,” says Christen. This puts great emphasis on tuning the technology. Though less labour intensive than IDS, IPS still needs considerable hands-on work from network administrators, particularly in the first few days after its installation. Fortunately, many IPS vendors help with the tuning process in this initial phase. “We are looking at IPS and at how it will evolve,” says Laserian Kelly, manager information security, Emirates Group. “Its appeal is clear but you have to get it to learn your applications because of the danger of false positives,” he adds. Security managers in the enterprise are increasingly using IDS and IPS in tandem as they complement each other. IPS is best used to minimise the risk of known attacks and anomalies that can only cause damage to your network. IDS on the other hand can give security managers insight into network patterns over time, which can help them to formulate long-term strategies. “IDS has always been a cure rather than a preventive measure, and it will co-exist with IPS as whatever cannot be prevented is ultimately cured at some point,” says Dean Bell, regional director, BorderWare. “It is necessary for when attacks do manage to get through perimeter defenses, plus it is only by analysing attacks that we start to see patterns which allow us to better detect them in the future,” he adds.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code