Issue dated - 9th February 2004

-

Previous Issues
CURRENT ISSUE
INDIA NEWS
NEWS ANALYSIS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
Symantec Report
Security Headquarters
JobsDB
MINDPRINTS
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
Openings At Jobstreet.com
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > SecureSpace > Story Print this Page|  Email this page

IPS is not a magic bullet

Queenie Ng

Blocking attacks with intrusion prevention systems (IPS) rather than simply monitoring them with intrusion detection systems (IDS) has been slowly gaining ground in corporations from last year. IPS is expected to make further inroads this year with new products and players in the market. But there is still a long way to go before it can be adopted as a mainstream security technology.

The outbreaks of worms and viruses in 2003, such as Slammer, Blaster and Nachi illustrated the limitations of standalone intrusion detection technology and subsequent human intervention to protect corporate networks.

Although it is necessary to know when an attack is in progress, notification alone is not sufficient. Nevertheless, intrusion prevention can provide the means for this protection, “since the automated response that it affords is the only way to keep pace with these worms,” said Allan Bell, marketing director of Network Associates Asia Pacific.

Network Associates, which bought two intrusion prevention companies to expand into the market, and vendors like NetScreen, Symantec and Cisco started pushing IPS last year.

Even analysts from Gartner suggest that intrusion prevention technologies are mature enough for initial production deployments in 2004.

Limitations

However, Steve Maslin, product manager for Equant Intrusion Detection, disagreed. “Early adopters may seek to embrace leadership in deploying automated IPS, but for the remainder of the core market, it’s a ‘wait and see approach’. The market is still developing,” he said.

The barriers hindering acceptance of IPS include difficulty of deployment, amount of false positives, performance issues, and the ability to fail-over. These limitations cause industry professionals to believe that IPS is still emerging as a technology and has not become a mainstream solution.

“The excess of false positive issues that result in dropped connections and blocked legitimate traffic is not acceptable, especially for a network running mission-critical applications,” said Alex Ho of Nokia Enterprise Solutions, regional product marketing, Asia Pacific.

Integration possibilities

In order to overcome these challenges, Bell from Network Associates suggested that vendors have to demonstrate product designs that can deliver on accuracy of detection, reliability and performance in production environments—and not affect business availability. Vendors also have to provide a migration path to prevention, based on confidence in detection.

In addition to broader product lines from existing IPS vendors to increase accuracy and performance of the systems, there will be new products from new players.

For example, Trend Micro is planning to launch a new network outbreak security appliance that can proactively detect, block, and isolate network viruses and worms, sources of infection, and unprotected devices.

Meanwhile, there is a growing trend of integrating intrusion prevention technology with other security solutions.

“We will begin to see intrusion prevention provided through the integration of multi-layered security technologies that have been shown to stop both known and unknown types of attacks without interrupting legitimate traffic,” said Andy Norton, director of product marketing, Symantec.

Even as IPS becomes more widely recognised as effective security tools, Norton advised that it should not be used alone. Instead, combining IPS with other essential network security functions can provide more comprehensive protection.

In fact, hardware-based security vendor, Fortinet, said it is going to introduce a technology which combines the agility of intrusion detection, the speed of intrusion prevention and the selectivity of anti-virus technology to deliver an accurate threat prevention system. The technology, Dynamic Threat Prevention, will be launched this year.

Besides anti-virus, another mainstream security solution like IPS can be incorporated into is firewall.

Wong Loke Yeow, security evangelist for TruSecure, expects that in the next few years, every IDS vendor will add blocking and firewalling capabilities into their sensors, and every firewall vendor will add signature detection into their rules-bases.

“Integrating IDS and firewalling capabilities under a single IPS interface and into a single device will presumably reduce management overhead, possibly reduce costs, and save footprint in the data centre,” said Wong.

By adding signatures to the firewall and turning it into an IPS, customers can now enforce a policy of ‘permit’, ‘deny, or ‘permit as long as it appears to be non-hostile’. Wong explained that the last option allows organisations to finally utilise ‘internal firewalls’—which many organisations have resisted doing due to fear of it decreasing connectivity.

Implementation issues

However, beware of tradeoffs in integrating firewalls into IPS. While a proper implementation of IPS requires much more processing power than is found in typical firewalls, many firewall vendors choose to implement only a subset of the attack detection coverage offered by a full-fledged intrusion prevention product.

“This leaves customers who deploy these integrated solutions open to attack using any of the many different methods for which detection has been omitted in order to conserve processing power,” said Network Associates’ Bell.

Ultimately the onus falls on the customer to choose the most appropriate security solutions.

“Several factors, such as the user environment, operational controls and corporate security policy will determine if having security appliances that combine intrusion detection/prevention and deep packet inspection is more applicable,” said Elesh Kadakia, security marketing manager of Solutions and Product Marketing, 3Com.

But regardless of the security functions it can combine, IPS should not be perceived as a ‘magic bullet’ for security, and as a replacement for sensible policies, advised TrueSecure’s Wong. After all, IPS is basically signature-based and can only block known types of attacks.

“We’re worried that people will just believe marketing literature and plonk an IPS in front of their network and forget to enable the basic firewalling capabilities of the device,” Wong said.

This article first appeared in Asia Computer Weekly
<Back to top>


© Copyright 2003: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.