Intruding on the bottom line

It's a familiar story to Donal Casey, one he's seen many times. As a security consultant at Morse, he has installed several intrusion prevention systems. But he went back six months after installing an IPS at one client only to find they had unplugged their new IPS and put it in a storeroom. "They just couldn't cope with it," he recalls.

As the latest step up the evolutionary ladder from intrusion detection systems (IDSs), IPSs try to block attacks rather than just warn that a possible attack might be under way. Many companies, including traditional security companies and networking vendors such as Cisco, Symantec, Check Point and McAfee, have begun to provide IPS systems. But the first generation of IPSs proved a management nightmare to many customers, or were simply ineffective. So is the latest generation any better?

"Years ago, when IPS was an emerging technology, it had all sorts of issues," recalls Andrew Wilson of the Information Security Forum. He has been watching the market since the emergence of IPS and over that time, little has happened to change his views.

"[There are] things to do with signature distribution, things to do with false positives, things to do with false negatives. There is the intense amount of effort needed to tune and get the right amount of management reporting. I think people now recognise that all of that is bedevilling IPS. The problems haven't gone away."

Although approaches vary, intrusion prevention systems typically monitor the corporate network, either on the hosts that are likely to be attacked or on network devices. They are not just looking at the traffic itself, but also at the content of the traffic, trying to detect either malicious behaviour designed to exploit particular vulnerabilities or malicious content in the payload, such as a worm, virus or trojan.

The problems with many IPSs have been the questions of false positives and false negatives – what happens when the IPS wrongly identifies legitimate traffic as malicious, or misses an actual attack, thinking it was legitimate. If the IPS blocks legitimate traffic, it is effectively creating its own denial-of-service attack. And if it lets through an actual attack, of course, the network it is supposed to defend is compromised.

The result was a thumping management headache for many early IPS users. Configuring the IPS to the correct degree of sensitivity was often a tediously long and labour-intensive process that could still often result in a poorly calibrated system. Dealing with constant reports of potential malicious activity was also more than most IT staff had the resources to cope with. The result was an IPS that was often ignored or turned off altogether.

According to Dave Beesley, managing director of security consultancy Network Defence: "Customers are not really buying into this space. There is a perception that it's not really value for money and that the security budget is quite tight. I don't think historically there's been a compelling case provided for IPS, which I think the industry has begun to recognise."

Yet many users still stuck with IPS. The requirements of auditors, typically for compliance, have proved a factor behind many such installations. "In the enterprise area, compliance is a major factor," adds Beesley. "It can be a requirement of the auditors to have an audit trail. For SOX compliance, it's a useful tool for auditors to see logs of attacks being stopped."

But genuine security concerns have also motivated organisations to invest in an IPS. There are now so many malicious internet attacks, mainly from automated "script kiddie" attacks, that the CERT security organisation has stopped recording the number, regarding it as meaningless. Despite a decrease in malware releases, last year IBM's Global Business Security Index Report saw an increase in attacks with criminal motivation, and expects that trend to continue. In particular, 2005 saw the arrest of cybercriminals around the world who were found to have links to organised crime. Many more were motivated by financial gain rather than destruction or ostentation.

Cal Slemp, vice-president of IBM's security and privacy services division, says the company believes the environment has shifted. "We are seeing organised, committed and tenacious profiteers enter this space. This means that attacks will be more targeted and potentially damaging."

The attacks are mostly being targeted at high-profile companies, such as Google, but companies that operate in lucrative market areas such as finance are being targeted as well. Peter Rendell, CEO of IPS vendor Top Layer, says many of these attacks are variants on an older theme: "They're usually extortion: we'll take your site down if you don't pay a ransom."

He recently installed an IPS at a major telecoms client that was worried about bandwidth being siphoned off and used for other people's profit, typically in VoIP schemes – a variant on a common technique used against telecoms firms in the 70s. "Google pays millions each year for its bandwidth. It stands to lose that if others steal its bandwidth," he explains.

While the need for a working intrusion prevention system might therefore exist and be growing as attacks become more sophisticated, the question still remains as to whether the latest IPSs are capable of defending against them.

Certainly, the systems at the very high end can provide very powerful defences against attackers, but for the mid-range, some doubt remains. The Information Security Forum's Wilson believes his research suggests that, while IPSs have improved, they still don't have what it takes to provide cast-iron protection against attacks.

"The thinking with IDS and then IPS seems to be of ‘jam tomorrow'. But it has never worked quite that well."

As high-end attackers begin to use a blend of techniques, including social engineering, and more and more legitimate traffic travels through the web server port 80, thanks to web services enabled, it's far harder for IPS to provide complete protection without having to perform in-depth scans of traffic content.

While computing power has increased, being able to cope with the amount of data that might arrive down a gigabit Ethernet connection is still more than most systems can cope with.

Both vendors and analysts agree that expecting an IPS to defend against everything is impossible. Indeed, in many cases, all that should realistically be expected of an IPS is the ability to block the majority of attacks, warn of other potential threats and maintain a forensic log in case of penetration.

"Some things could well get through," admits Cisco security consultant Kevin Regan. Although Cisco's host-based IPS, the Cisco Security Agent, has a good track record of protecting against zero-day attacks, he warns that it's difficult to make any predictions. "There are hundreds of thousands of viruses out there," he explains.

Instead, he advocates a more "belt and braces" approach, with IPS potentially giving a window of comfort for organisations, during which they can tighten their security, apply patches and so on, when they become aware of a problem thanks to the IPS.

Similarly, Scott Lucas of Extreme, which sells network-based IPSs, suggests that the behavioural analysis tools used by most IPSs need time to become ‘sure' of an attack; certain hosts might need to be "sacrificed" on the network before the IPS can decide with certainty that traffic is malicious and block it.

If an organisation decides that it does need an IPS, this works best as part of a unified security strategy. Relying on an IPS by itself to protect against all attacks would be foolhardy. However, relying on a combination of dedicated anti-virus, firewall, IDS and IPS technology, among other tools, should be enough to protect most organisations against the majority of attacks while providing the necessary forensic evidence afterwards.

This approach does bring with it some increased management requirements, although these are not as great as the requirements imposed by earlier IPSs.

As Paul Brettle, systems integration company Stonesoft's country manager for the UK and Ireland, puts it: "There are a few large American companies that say it's as simple as a click of a button. Get a life: it's never going to happen. That's massively over-simplified."

But it can become a manageable technology, with improved integration with security management consoles, improved intelligence in the devices, and improved implementation strategies.

Most organisations, however, don't need an IPS, adds Brettle: "If you have a good firewall, you probably don't need one."

IPSs are an evolution of IDS; they still require management and fine-tuning, although those problems are being reduced. For many organisations, they are unnecessary. They are certainly not a panacea. But for those high-risk businesses that are prepared to invest time and money managing it, and who are able to use the technology in conjunction with other proven security systems, IPS has the potential to protect against many of the minor – and some of the major – security problems facing organisations today.