IPS fortifies IT departments’ security arsenal

IT administrators have quickly learned that intrusion detection systems do little to protect an enterprise network’s critical resources. As a result, the industry buzz heralding these systems as the greatest new security tool on the market has died a quick death. However, there are some burgeoning intrusion detection and prevention technologies that overcome the pitfalls of legacy intrusion detection systems and can be highly effective additions to an IT department’s security arsenal, says NIR ZUK. The hitch is finding which ones, by understanding the pitfalls of intrusion detection systems and the product requirements for delivering ‘real’ prevention capabilities

There’s ample proof that data networks and servers, whether based on proprietary or open source software, or Windows, Unix or Linux, are vulnerable to attack. Researchers and software vendors are always discovering new weaknesses in computer operating systems and software. So are hackers, who are motivated to look for vulnerabilities to exploit for amusement, spite or profit.

The good news is that many businesses and organisations are aware of these risks, and have invested time and effort in buying network security solutions such as firewalls and intrusion detection systems. The bad news is that some of those solutions do a poor job of securing the network against today’s increasing volume and complexity of attacks, which are now threatening enterprise networks both at the network and application level.

Take the Las Vegas Review-Journal, a daily newspaper with a circulation of more than 160,000 readers on weekdays, and 224,000 on weekends. We were told by Steven Olson, their support services manager, that the Review-Journal’s network and servers are under near-constant attack with 3,000 to 4,000 port scans per day, denial-of-service attacks and more.

Despite the Review-Journal’s best efforts to protect their network, Olson told us that often attacks used to succeed. As a result, Olson and his team researched and evaluated several intrusion detection systems, hoping to bolster their network protection. However, during the evaluation process, Olson and his team recognised that most of the intrusion detection systems they investigated lacked an efficient and effective means for the Review-Journal to block attacks. Olson commented, “Most offered e-mail alerts and an automatic mechanism for blocking IPs at the firewall, which wasn’t a good solution because legitimate user traffic would also be blocked.”

Olson brought up another real worry: many intrusion detection systems (IDS) have huge numbers of false positives. And, because most IDS systems lack the full-featured management functionality to help IT administrators gauge whether legitimate traffic is blocked, undertake quick attack investigation for validity and success, or complete log analysis for attack trend identification for timely policy modification, already overworked IT staff can be further burdened.

When you can’t trust that the bad guys are being kept out, and the good guys are being allowed in, it’s time to look for a better security technology, such as intrusion detection and prevention systems. Certain intrusion detection and prevention systems, unlike legacy intrusion detection systems, can accurately detect attacks and automatically stop them, without disrupting future connections from that IP address, to ensure they never reach their target victim. But, it is often difficult to tell which products can and cannot provide the attack prevention that is necessary to protect critical assets. To do that, a clear understanding of the differences between intrusion detection and intrusion detection and prevention systems is required.

Lobby camera vs lobby guard

The differences between an intrusion detection system and an intrusion prevention system are as fundamental as the differences between a video camera passively watching a building’s lobby, and a burly lobby guard actually checking entrants before permitting admittance.

A security system that relies solely on a video surveillance system has the same shortcomings as an intrusion detection system. First, when the video surveillance system detects suspicious activity, it is unable to block the intruder directly. The watcher’s only response is to notify someone else of the problem: set off an alarm, phone the police. That takes time. By then, the intruder will probably be long past the checkpoint and may have already wreaked havoc.

Similarly, an intrusion detection system passively monitors traffic within an enterprise’s network, watching for traffic that looks suspicious and could be considered malicious. The ability and range of attacks that a device can detect is tied to the types of detection mechanisms it utilises. Generic mechanisms that can’t narrow the scope of the attack search result create many false alarms; and those devices that only have one, two or three mechanisms result in attacks slipping by undetected due to insufficient coverage.

More importantly, as monitoring devices, they cannot affect traffic in real-time instead, they rely on reactive functions, such as sending an IT administrator an alert message, trying to reset the TCP connection, and/or signalling the firewall to block an IP address. All of these mechanisms typically occur after the attack has already reached its victim. As a result, these solutions are insufficient at effectively protecting an enterprise’s critical network resources.

Taking proactive action

The solution? Replace the video camera with a lobby guard, charged with physically inspecting each and every visitor before allowing them to enter the building, and arm the guard with multiple tools to detect different types of malicious intentions. This is essentially the equivalent of a state-of-the-art intrusion detection and prevention system that uses as many detection methods as possible to detect different types of attacks and then sits in-line, blocking the traffic from entering the network if it is considered malicious.

A proactive solution also has the ability to accurately interpret the traffic as the destination device would see it. This is important because many sophisticated attacks against networks actually require many packets in a stream. Individually, each packet may be innocuous, but when reassembled at the destination, the payload may cause a buffer overflow on an unprotected server, or a malformed data sequence may trigger a system crash. Traditional intrusion monitoring devices are hampered by their inability to correctly interpret the intent of those packets, which attackers use to their advantage, creating ambiguity to evade the system. By contrast, a ‘network aware’ in-line intrusion detection and prevention system can reassemble all of the packets in the sequence, so it can ‘see’ the same data as the traffic’s destination address on the network. If an IP packet is found to be malicious, it’s simply dropped—and an attack attempt thwarted, proactively protecting critical resources and saving IT departments’ damage ‘clean up’ time and costs.

The Las Vegas Review-Journal understands the benefits of in-line functionality and multiple detection methods found in truly state-of the art solutions, one of which the Review-Journal recently deployed. Commented Olson, “The other intrusion detection devices we considered before selecting an intrusion detection and prevention solution were about as effective as a car alarm.” Olson added, “However, the new intrusion detection and prevention system does the job for the Review-Journal. It drops packets before attacks can get on our servers. We are able to block or ward off most critical, high-availability DNS attacks to our site and attacks which could result in total DOS (denial of service) at any given time.”

Attackers are out there and without an active, in-line intrusion detection and prevention system capable of performing deep analysis by leveraging multiple detection methods and dropping malicious traffic, an enterprise network simply isn’t protected against sophisticated attacks. Most importantly, don’t be fooled by vendors marketing what are truly detection systems with some limited honeypot or protocol anomaly detection enhancement as an intrusion ‘protection’ or ‘prevention’ capability. Read the fine print and be sure to select an intrusion detection and prevention system that will truly be an effective addition to your IT department’s security arsenal.

The author is CTO at NetScreen and can be contacted at nzuk@netscreen.com