Intrusion alert

Once sold as a silver bullet to the threat issue, intrusion prevention vendors have now pulled back from such bold assertions. It can be a powerful tool when harnessed correctly though. NME investigates how network managers can utilise this technology to combat threats.

  • E-Mail
By  Simon Duddy Published  October 26, 2005

|~||~||~|When intrusion prevention systems (IPS) evolved from intrusion detection systems (IDS) a few years ago, they suffered from the over-hyping common to many innovative security solutions. The word was that it would cut back the workload involved in the manpower intensive IDS and eventually replace it entirely. That simply has not happened, as while in theory IPS is much less dependent on IT teams to function correctly, in practice many hours must be spent tuning both types of systems to ensure they are operating optimally. To delve back into history, the challenge with IDS was that it simply flags up the danger rather than carrying out a remedy. This can lead to huge log files, which must be read through manually to determine the real from the imagined threat. Not only is this a waste of manpower, it is also palpably too slow to cope with quick and highly damaging attacks to the network. On the other hand, IPS can respond to attacks with immediate automatic action but in reality it faces the problem of IDS in inverse. Instead of being burdened by huge log files of often innocuous ‘threats’, IPS must be heavily tuned or will mis-diagnose legitimate traffic as a threat and block it. Trend Micro’s Middle East managing director Justin Doo says IPS will look great until the next big thing comes along. “IPS is connected to the firewall and offers an extra layer of security. On the negative side, it’s automated, so it could mistakenly block non-malicious packets from entering the network,” he explains. There are a number of issues and limitations that IT teams need to consider very carefully if they are interested in such technology. The most important of these is the fear factor associated with false positives. Organisations are often terrified that important business traffic can be excluded because of badly tuned or over zealous intrusion prevention. Missing data can often cost companies millions of dollars and can cost sales managers their jobs as deadlines are missed and orders unfulfilled. “False positives have a huge impact on companies. Fear influences behaviour and companies tend to tune down the prevention elements, fearing they will miss vital messages that have been misdiagnosed as a threat,” says Joseph Mehawej, marketing and technical sales manager at Nortel Middle East. Some companies refuse to deploy IPS on mission critical systems due to the high instances of false positives. With this wariness on the ground, it is clear that IPS is far from being a silver bullet. Rather it is one piece in the total security strategy — a piece that still requires a human factor despite deploying the kind of automatic action that was supposed to cut down the network team’s man hours on such systems. “Configuration is really the issue with IPS. The technology is good, and the capabilities and development of the technology are promising, but at the moment it requires careful configuration to ensure that it offers benefits to the user rather than increased workload in the long run,” explains Kevin Isaac, regional director for Symantec MENA. As well as the false positive issue, network teams are sometimes plagued by users complaining of network slowdown following an IPS implementation. Most IPS devices scan traffic at a maximum throughput of 1Gbytes/s, which means that traffic on 10Gigabit networks, which are becoming increasingly common, must slow down to pass. “All sensors are CPU-based, so there is a limit to what the CPU can process and this will lead to either a bottleneck in traffic or a throttle down in scanning strength if you throw enough traffic at it,” says Mehawej. The preferred solution of many vendors such as Nortel is load balancing, by using clusters of devices and sensors to spread the workload. This can be expensive as it needs multiple devices, but it ensures that no one appliance is overwhelmed even when traffic hits peaks or when individual devices malfunction. Cost versus performance considerations are nothing new in networking, but Jitendra Kapoor, business development manager of the security business unit at distributor and integrator OnLine Distribution, sees the issue as central to IPS. “Traditional intrusion prevention systems either increase costs (if they rely on a distributed architecture) or increase bandwidth requirements (if they rely on a centralised intelligence architecture),” comments Kapoor. He sees split intelligence architecture, which is based on the ability to split data analysis between sensor and server, as the preferred option. Using this approach the monitored data is filtered by intelligent sensors, which identify and forward only important security information to the server. “This architecture can help minimise bandwidth requirements and provide scalability for distributed environments. Plus, the security analysis is highly accurate due to the aggregation and correlation of critical information from all sensors at the server level,” explains Kapoor. While this split architecture approach promises an answer, others are looking at changing IPS more fundamentally. The conflict between users wanting faster networks on one hand — and safer networks on the other — is a square that network teams, with the help of vendors and installers, are having to circle. “Inspecting applications in the traffic path requires some strong re-thinking. We need to work out how this can be done without introducing bottlenecks, single point of failure or delays that will break real-time application such as voice or video,” says Abderrafi Belfakih, manager of systems engineers at Cisco. Belfakih sees research in IPS product development and more thought in network design and placement, as well as operational management and processes as an important part of eventually achieving these objectives. Whatever fine tuning vendors, installers and network teams can bring to the table, it is unlikely to reduce all of the headache that comes with IPS. There is a growing shift in the vendor community from promising silver bullet solutions to educating end users that intrusion prevention is a tough discipline that requires a significant investment in people and time as well as money. “All analysts agree you can’t install and forget intrusion detection and prevention. The issue of false positives needs to be looked at,” says Ben Vaux, technical director for Juniper EMEA. “What we would stress is that the network is extremely complicated and anomalies can be caused by IDP devices, faulty NIC cards or even an upgrade in server processing power,” he adds. Vaux says customers should acknowledge network complexity and resolve to totally understand it as a means to controlling it, rather than looking for an ‘install and forget’ solution that they believe can fix everything. Beyond strategic issues involving which approach is best for IPS, the technology faces a variety of other more technical issues and limitations. For one, most IPS products have no awareness of the type of application they are scanning and often cannot handle encrypted or encoded traffic. Furthermore, most IPS products only protect against well-known attack variants that exist. “Most IPS systems rely on signatures of known threats, meaning they won’t stop zero day outbreaks of new threats. IPS signatures are an extra layer of protection but over-reliance on signature-based IPS can lead to vulnerabilities,” says Peter Barlow, director for Secure Computing Middle East and Africa. IPS companies are trying to work around this limitation. For example, ISS’s security research department — known as X-Force — is focusing its attention on vulnerabilities rather than exploits. If each vulnerability that arises is patched by the enterprise as soon as it becomes known, then it can actually pre-empt even zero day attacks. “ISS is focused at finding vulnerabilities before a possible attack has been designed. Other approaches concentrate on trying to stop the attack after it is already in the wild,” says Peter Stremus, EMEA VP of marketing at ISS. The downside to the system, as with all patching-based solutions, is that it requires consistent effort and needs a motivated and prompt patching team. There is also the danger that IT teams can lapse into complacency when warned about vulnerabilities for which there is no known exploit, which could lead to that task slipping to the bottom of a busy network manager’s agenda. Cisco has built features into its IPS in a bid to improve accuracy in distinguishing between threats and legitimate network traffic. These include risk rating, which is designed to provide a more accurate and balanced assessment of the risk associated with a given event. The vendor has also developed Meta Event Generator, which correlates time between events, network behaviour and multiple exploit behaviour, to more accurately identify and stop worms. Other companies have approached the problem from the opposite angle, and have decided to focus on only letting in normal traffic rather than trying to spot rogue traffic. This is a simpler approach but it requires the network team to very accurately identify what constitutes normal traffic. If a network deals with dynamic and rapidly changing traffic, this approach will be difficult to implement. One such company that specialises in this approach is MagniFire, which was acquired by applications networking player F5 Networks in 2004 for US$29 million. “IDS and IPS are not effective against zero day attacks, as they are signature-based. The TrafficShield product from F5 is a proactive solution that only lets in expected traffic,” says Philip Crocker, EMEA marketing director, F5 Networks. Despite its limitations, IPS is a key element in the security arsenal and companies such as Cisco, Extreme and 3Com (though its acquisition of TippingPoint) have introduced innovative solutions, including Extreme taking threat scanning to 10Gibytes/s throughput with its Sentriant device. 3Com has recently added an anti-phishing element to its TippingPoint IPS. The gateway-based solution uses a variety of mechanisms to detect and prevent phishing scams including vulnerability protection, pattern-matching protection and behaviour-based protection. “Because TippingPoint’s anti-phishing approach is gateway-based, the technology aims to attack the e-mail and website-based scams closer to the source, and does not give users the opportunity to respond and get caught in the trap,” says Charlotte Dunlap, information security analyst at Current Analysis. “Traditionally, anti-phishing products come in the form of client-based software, which creates an administrative burden, and may allow end users to make decisions about potentially fraudulent pages,” she adds. The only real drawback with the technology, is as ever with IPS, the danger of false positives. This is true no matter what form of IPS is used, be it hardware or software-based, or even as a standalone device or one that comes integrated with other functions. The option that is chosen by the enterprise depends very much on the individual company. Budget decisions —as well as the specific type of treat being encountered — will influence this decision as much as the theoretical pros and cons of each form factor. Adding IPS functionality to existing platforms or products will increase the level of protection on the network, but won’t necessarily replace a dedicated solution. These will tend to provide optimum protection and performance. Likewise, software solutions are generally considered to be suitable for low bandwidth network environments, while dedicated hardware solutions are safer bets to provide both the protection and performance required by business critical network topologies. “It depends on the problem being solved, network topology and the priorities of the customer. Business critical applications will focus on security and network availability, while ease of use or simply cost may be the key driving factor in other network environments,” says Dylan Vrind, Top Layer’s regional sales manager, Benelux, Scandinavia & Middle East. Intrusion prevention is a hasty response to fast evolving threats and as such it is far from perfect. However, with effective implementation and management it can help to keep critical systems up and running, while chaos reigns over less protected networks. The key issues IT teams must bear in mind is that solutions are immature (and changing fast) and no matter how effective they are, they will need considerable attention from staff to deliver real dividends and a return on investment.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code