It is a great shame if these fears are affecting people's views of IPS, because many of these fears are no longer founded on fact, but the early problems associated with IDS, such as too many false positives. This led many users to tune down systems to the point where they were no longer producing meaningful alarms and therefore, not doing their job.
In addition, many of the concerns voiced about IDS and IPS are based on misconceptions, such as the belief that an IPS can only block or not block, rather than create alarms like a traditional IDS - whereas the reality is that most IPS will only block a limited number of attacks and will provide alerts for the rest of the dangerous traffic that they see. Another major concern has tended to be latency and the IDS vendors have invested significant effort into ensuring that latency is now limited.
It helps to remind ourselves what are the fundamental differences between IDS and IPS. In simple terms we define IDS as being products that inform users that something is happening, whilst IPS prevents it happening. In reality, this distinction tends to get somewhat blurred, as some IDS devices are capable of blocking, by using TCP resets, and most IPS devices will inform on a large number of events, rather than prevent them.
There is now a strong feeling in the industry that the only true protection for a network is inline and reactive. Staffing levels and budgets have decided that companies need a strong return on investment for their security expenditure. Many organizations are not able to dedicate numbers of staff to watching the IDS and even if they can, these operators cannot react quickly enough to the threat to properly protect assets. In essence, security needs to be far more of a barrier than a burglar alarm. Many people are very suspicious of putting any type of IDS solution in line due to the worries about the network stopping working. But modern IPS solutions have come such a long way from the early days of IDS, when false positives were the bane of all security teams existence.
Why is IPS now worth considering? It can be narrowed down to four main reasons:
Many IDS systems are now much better at dealing with false positives since they now use much more complex detection than earlier systems. The greater use of protocol analysis has significantly reduced false positives. Once upon a time, the simple pattern-matching algorithms used caused many false positives, with alerts generated if any packet matched a source or destination port associated with a Trojan or worm. This was poor, since the type of packet could often be used to determine whether the packet was really an attempted attack or a legitimate source packet.
Modern IPS rely on multiple detection methods, incorporating both analysis of the protocol and matching of the signature. Many vendors will claim that today's more accurate analysis methods are completely adequate in detecting attacks, but that they are forced to use signature matching since users are required to know what attack is taking place, rather than being told that a generic buffer overflow has occurred on a particular system. Management likes to have a name for the attack so that the report makes better reading.
IPS vendors are careful in setting which attacks are blocked by default since people are highly aware that their networks could be broken. This means that most IPS vendors will only block by default those attacks which they are virtually certain cannot be false positives. In most cases this includes a whole host of worms and Trojans.
Additionally, most people only use IPS in a mixed mode, whereby some events are blocked and some just alerted on, so that they only block a limited number of events and then handle the rest like traditional IDS, by generating alerts and alarms. This means that most types of event will generate an alert rather than a reactive response. In this way, a high proportion of traffic will be completely unaffected by the IPS.
Many modern IPS systems also have the ability to run in simulation mode that allows the user to identify which attacks would have been blocked if the system was running in protection mode. This allows for tuning of the system in the event of undesirable potential blocks being discovered. It also enables the user to build up a detailed picture of what traffic is on the network and how it would be handled by the IPS.
The other major fear when deploying an IPS is in introducing latency into the network. This is completely valid, since any inline device will cause some latency. Indeed, the introduction of the many multi-function security devices is partly to reduce this problem, caused by passing through multiple inline devices. The IPS manufacturers have partly addressed this issue by the use of dedicated hardware and ASICs. IPS also uses low-level packet drivers and high-speed network cards. On top of this, the devices sit at layer 2, beneath the network layer,so that they do not have to decode everything.
The threat is getting worse
The nature of the threat on the internet is changing. This has been true since the internet first became widely used. The spread of worms is now a major problem and the development of hybrid attacks - using multiple infection vectors - means that old methods of prevention are no longer adequate. In the past, the main type of defence were anti-virus systems, but these are reactive in nature and often a signature is not available before an attack. With many of the worms that exploit buffer overflows and application vulnerabilities, this is no defence at all. It is also true that with many of the more recent threats the infection time has been incredibly fast, with Slammer doubling its infections every 8.5 seconds. Human analysts simply cannot respond quickly enough to these threats, so it is only automatic systems that can provide protection.
The changing pattern of internet threat means that most attacks now are against applications and will pass through firewalls undetected. Even IDS that can send TCP resets are not adequate to block the attack since the latency involved can often mean that the attack is over before each end has received and responded to the reset. IPS can also now take protection a stage further and block an entire traffic stream based on an analysis of its intent.
The other problem of internet facing systems is one of complexity. Put simply, the amount of components needed for a medium sized e-commerce or portal site means that there are a large number of both systems and applications deployed. This leaves organizations with a patch management nightmare. IPS can provide an interim solution to these issues by providing protection to systems before they are patched, which allows for more orderly deployment of operating system and application patches.
IPS use is now more widespread
One year before it sounded the death-knell of IDS, In 2002 Gartner group predicted a healthy growth for IPS: "By year end 2004, advances in non-signature based intrusion detection technology will enable network-based intrusion prevention to replace 50 percent of established IDS deployments and capture 75 percent of new deployments."
The reality of the situation is that this has come to pass much more slowly than envisaged, partly due to the issues discussed in this article and partly due to the investment that people had already made in IDS.
IPS was, and is, seen as a costly and, in some cases, exotic technology. IPS requires time and dedication to deploy and skill and knowledge of the network to tune the policy to block more than the default. But the vendors have invested huge amounts of effort into changing this and ensuring that their customers can have a basic working system with minimal effort. The shift from software to appliance-based solutions has made this easier.
Many major organizations are now using IPS as a vital part of their security, since experience has proved that firewalls are wholly inadequate for protecting against worms and other attacks that are carried via legitimate traffic. According to many internet threat analyses, the proportion of attacks targeting web applications has increased considerably in the last two years. The number of attacks against browsers, and not just Internet Explorer, has risen as well. This means there is a need to protect your internal users from internet sites that they may visit which have malicious content.
Costs are falling
It is not just big corporates who are in a strong position to benefit from IPS. Looking at available IPS and IPS-like components just three years ago, the market was very different. Yet a quick Google search for IPS products will show that there are offerings from TippingPoint, ISS, Netscreen, Network Associates and Top Layer, to mention just a few. This competition in the market - and the shift to appliances aimed at smaller companies - has made IPS more affordable than ever before, with many vendors offering products aimed at the smaller end of the market.
The provision of powerful integrated management components like ISS SiteProtector allow for correlation of the threat and vulnerability and lets administrators configure policy accordingly - ignoring attacks that have no chance of success, thereby only providing information that is really needed.
Nevertheless, there remains a fight against prejudice based on the feeling that IPS is still a new technology. All security products, as any firewall administrator will agree, suffer from being blamed when there are network problems. In the early days of commercial firewalls, whenever there was a network problem the firewall always got the blame: the same is true for IPS, and will continue to be for some time. There is still a problem of bridging the credibility gap, but IPS can provide protection that cannot be got from other security devices and it is protection that companies increasingly need because of the way that the threat is involving. The question should no longer be 'Can I trust IPS' but rather, 'Can I afford not to?'
The author is Technical Consultant, IDsec Ltd.