On the defensive

Companies are realising that a comprehensive security approach offered by intrusion prevention systems (IPS) is the best form of defence against escalating attacks

  • E-Mail
By  Peter Branton Published  September 3, 2006

|~|77featbody.jpg|~|Intrusion prevention systems (IPSs) offer comprehensive defence, being able to identify, respond to and block attacks on the firm’s network.|~|Brain, the first PC virus, which appeared 20 years ago, is very different from today’s batch of viruses and worms. Like many of the first-generation viruses that appeared, it was generally seen as just a nuisance. Its creators, two Pakistani brothers, used the program as a piece of true viral marketing, advertising their company, Brain Computer Services of Lahore, Pakistan, by flashing the message: “Beware of this VIRUS... Contact us for vaccination,” on the screen of infected machines. In these harsher times, attacks are seen more as critical threats, with the power to cause major disruption to companies’ operations and the ability to cause victims to lose millions upon millions of dollars. That is mainly because the intent or purpose of why viruses are created has changed through the years. While earlier attacks were meant to show off their creators’ technical abilities, present-day hackers are mainly after their victims’ money. Companies are paying huge sums of money to repair damaged systems. In the US, for instance, the Federal Bureau of Investigation (FBI) reports that it costs businesses around US$67.2 billion a year to deal with viruses, spyware, PC theft and other computer-related crimes. The FBI also says that, on average, it costs each company US$24,000 to clean up damaged systems. While no such statistics are available for the Middle East, it is safe to assume that companies in the region face a similar situation. In fact, businesses anywhere in the world are at risk. There are no exemptions. Anyone in charge of managing security for an enterprise knows just how the problem of security vulnerabilities has escalated in the past years. Companies are realising that, to defend against such attacks, a firewall alone does not provide sufficient levels of security for their business. They are searching, instead, for a comprehensive security approach that includes a firewall, correctly set routers, anti-virus products, security policy, high-speed processors, and solutions for preventing intruders. Vendors aim to address that need by providing companies with intrusion prevention systems (IPSs). Considered an evolution of intrusion detection systems (IDSs), an IPS, like an IDS, acts like an electronic surveillance system that monitors traffic patterns and compares them against known attacks. An IPS, however, takes the process one step further by actually responding to attacks and blocking them from entering the network. There are two main approaches to IPS: host-based and network-based. A host-based intrusion prevention system is a software agent that is loaded on each PC and server you want to protect. It monitors and tracks how activities running on each system interact with each other and the operating system itself. “Host-based IPS is usually focused on securing or protecting the very host that it resides on. So, if you have a PC or a server where critical data and applications need protection, you would employ host-based IPS on that host and it would protect all the network traffic that comes to that specific host plus all the activities that happen locally in this machine,” describes Hatem Ali, technical manager, ISS Middle East. A network-based intrusion prevention system, on the other hand, sits on your network, often in appliance form, and examines packets as they pass through the network. “For the network IPS, the scope would be the network segment that it is supposed to protect. So, it can protect your gateway, the subnet of the servers or server farm, or the network segment where you have some users connected to,” Ali says. While these two approaches may, at first, look like competing methodologies, Abdul Karim Riyaz, regional director for storage and protection business unit at CA Europe, Middle East and Africa — Eastern Markets, says that they are actually complementary solutions. In fact, whenever possible, vendors recommend that companies invest in both host-based and network-based IPSs. “They are complementary. There is no such thing as choosing one or the other,” he says. “Host-base and network-based IPSs are always required and they complement each other. I would not say that one [approach] is better than the other is. Both of them are always required if the customer is looking for a total security solutions,” adds Kalle Bjorn, technical manager, Fortinet Middle East. “The difference lies in the scope. For host-based IPS, it is only the host that it is supposed to protect. A network IPS only protects the network segment where it is deployed. Eventually they complement each other because for security you need to implement protection at many different locations and at many different layers,” explains Ali. “You don’t want to put all your eggs in one basket. You do not want to put all your protection in a single place, because once the attack comes from another place, it can cause damage. You try to distribute your agents of protection among all your IT infrastructure,” Ali continues. ||**||Host v Network|~|77hatem-alibody.jpg|~|Headquarters need to have both network- and host-based IPS, says Hatem Ali of ISS.|~|For companies that are on a tight budget, however, they do have the option to go only for one approach. Both host-based and network-based IPSs have their own benefits and disadvantages, which can influence any enterprise’s buying considerations. CA’s Riyaz recommends that companies go for host-based IPS, especially when organisations have many mobile users. “As host-based IPS is something that you deploy on a single host, you can install it in your laptop. When you are travelling, you are taking your laptop outside of the corporate network, which means that your laptop is no longer protected by the corporate IPS. By having a host IPS it will provide that protection on that single device that you have,” Riyaz says. “Plus, even when you have your laptop connected to your internal network, a host-based system is capable of detecting attacks that are made against that single PC on that PC itself. You might have, for example, a malicious user who is trying to do some changes on the PC itself in order to gain further access to encrypted files,” he adds. For a large organisation, such as banks, Ali suggests that they install a host-based IPS in their branch offices while deploying network-based IPS in their headquarters. “Banks usually have many branches, and for a branch there would be very little network involved. The focus there would be to protect the host because, eventually, the branch’s small network is connected to the big network of the headquarters. On the other side, at the headquarters’ place, you have to have network protection because all your major assets are on that network,” he continues. “In the headquarters you have to have both network- and host-based IPS, but in the branch office you might be well off with a host-based IPS, given that the network is small and it is not exposed directly to the internet,” Ali elaborates. Arun George, technical sales manager, Tipping Point, 3Com Middle East and India, believes that a network-based approach is a better option for any organisation. “In a host-based approach, there is a huge dependency on the host, whereas in the network-based approach it is installed on the network level so there is no client implementation. The problem with host-based IPS is that it is entirely dependent on the software that you are installing in the host, which means that a host IPS software that you install in a Windows machine cannot be installed in a Linux machine,” he says. “Apart from that, in a host-based approach, you cannot protect certain endpoints, such as a voice over internet protocol (VoIP) phone or a printer. All these are endpoints, but you cannot go and install software everywhere because the software might not be available. Once again, that is a limitation for a host-based approach,” continues George. Since network-based IPS sits inline, all data packets traversing the network have to go through the IPS device, which, George claims, make it a much more effective system of preventing attacks that have originated inside an organisation. Network IPS would also benefit companies that cannot keep up with patching their systems, George adds. “If you don’t have IPS in a proactive mode, what is going to happen if during a weekend a vulnerability has been published? Even if the vendor has released a filter on the same day, it would still need somebody, an administrator perhaps, to come and set the filter on. Without that the exploit can lead to compromise of the network,” he says. In other words, having a network IPS can buy administrators the much-needed time to update machines with new patches. By strategically placing a network IPS in front of a web-facing environment, it can serve as a multi-patch system to protect your network from attacks. However, having all network traffic pass through the IPS appliance may prove to have an adverse effect on the network’s performance. That is why, George says, companies that are looking at buying a network IPS need to make sure that the latency — or the time it takes for a packet of data to get from one designated point to another — of the appliance is similar to that of a Layer 2 switch. “If you look at the latency of a normal Layer 2 switch, it is somewhere between 50 to 80 microseconds. Ideally, a network IPS’s latency should be near those figures. The idea is we need to provide security but it should not be at the cost of performance because, at the end of the day, IPS is a support function. If the end user experience is bad, the business will opt to remove the IPS in the network,” George says. “For network IPS the limitation has always been the speed of the box, the throughput. Now, the new models of IPS appliances are capable of handling gigabit traffic. There are carrier-class solutions for IPS. They are getting over this problem,” Ali reveals. GFI Software’s André Muscat, product manager, claims there are other flaws to network IPS. “A network IPS can analyse any network traffic that goes to a computer system. That works fine for a very closed environment network. In reality, however, all of the businesses that we have dealt with have laptops and people who are travelling. Network IPS is most effective when you are within the network. Otherwise, when it comes to laptops, you need a different strategy,” Muscat says. ||**||Insider threats|~|77muscatbody.jpg|~|Network IPS is most effective when you are within your network, claims André Muscat of GFI Software |~|By having a host-based IPS, Muscat claims companies can better protect themselves, not only from outside threats but also from attacks that originate from the inside. “Customers believe that if you protect your web server and your gateways you are fine. That is what people do first. They will protect their servers and their gateways because the perception is, ‘I have to protect myself from the man outside’,” he says. “What companies do not realise is that about 60% to 70% of the attacks actually happen from the inside. While you are protecting yourself from the outside, you still need to protect yourself from the inside. That is where host-based IPS comes in. You start protecting your endpoint,” Muscat adds. For instance, he claims that once an insider threat is disguised via encryption a network IPS has no way of catching it. A host-based IPS can provide the organisation with a clearer picture of how these things happen. “A host-based IPS monitors the actions within an endpoint. It can tell you what the user is doing, at what day and time, which gives you a better understanding of the user’s activities or what type of attack is taking place,” Muscat says. “By using a host-based system, you can monitor your computer, keep track of what’s going on and the actions which the user is doing on the system. You can then correlate the data you have collected from market resources in a way that makes sense, that is feasible and understandable. These systems provide an environment, which the administrator can monitor. Monitoring is a very important aspect of what is going on in your network,” he elaborates. CA’s Riyaz adds that host-based IPS is much easier to customise and control. “We believe that this provides better protection at each individual host level and also you get a better control of applications within each host and how you manage the behaviour and access rights on individual systems and whether to allow or disallow specific activities on individual systems,” he says. “If it is a network-based, it is more of a single rule across the network, which means that some of the systems may have certain requirements that cannot be managed if it is a network-based approach,” he continues. “We are not a big supporter of devices. We do not believe that there is one IPS device that you can place in the network and help everybody. We have seen in the recent past, many of the device vendors stopped their devices, called back the devices, and moved to the software route,” he points out. “CA has always stayed in the software route and we will continue to stay in that route and come up with software solutions, which are much more flexible and much easier to manage and deploy,” Riyaz adds. However, there are also several downsides to host-based IPS. Since they must be installed on every endpoint that is to be secured from attacks, they can be costly to deploy and cumbersome to maintain. Host IPS should also be regularly updated to guarantee that signatures have been written for all identified attacks. In addition, since they are deployed on individual parts of the network, they cannot be used to prevent an attack aimed at the network in general, such as a denial-of-service attack. Whatever approach you choose, it is important to understand that IPS is not the only answer to all your security needs. IPS should be used in addition to other security technologies. It should be seen as a complementary, rather than a conflicting, solution. “The whole idea of security is that it is very layered. It means that the more layers you have, the lesser the chances of a security breach happening,” says Riyaz. “When you talk about security, it depends a lot upon the company’s policies. What are they trying to achieve? Many people think that if they buy a security product out of the box, that is enough,” Muscat claims. “That is a wish-list situation. Unfortunately, it takes more than that. That is why we have so many security products. We try out different things, and do them at different angles,” he concludes. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code