The Network Intrusion Prevention Systems (IPS) market , according to Gartner, continues to mature and evolve, and has become a due-diligence safeguard for corporate networks. These are inline devices that perform deep-packet inspection of inbound and outbound network traffic. After inspecting a packet, the IPS device makes a decision to allow the packet through or it decides to block or drop the packet.
Those decisions are made on a number of factors.
Signature-based IPS devices block traffic if the packets are identified as being malicious, based on the characteristics of prior virus and worm attacks. Vendors collect malicious code, identify the code and send those signatures to the IPS device. The IPS analyzes incoming packets to see if they match any of the signatures. If they do, the packets are dropped.
IPS devices also have a rate-limiting feature. An IT administrator sets various thresholds for traffic and the IPS throttles back traffic in the event of a denial-of-service attack, in which an attacker tries to flood the network with packets. The trick for security administrators, in this case, is to make sure that legitimate traffic doesn’t get blocked. This would apply in the case of an unexpected, but legitimate, spike in traffic.
The third way that an IPS blocks traffic is called behavior-based IPS. In this scenario, the IPS collects information on normal network traffic patterns and issues alerts when something abnormal occurs. The most-often cited example is a server that starts pushing out large amounts of packets at 3 a.m., when no one is supposed to be working. Or a host machine that tries to make an unusual type of connection – for example, a machine that all of a sudden starts using FTP to send large amounts of data.
With the number of attacks of business growing rapidly, IPS vendors have made advances in the way they tackle the changing threat landscape. Cisco is shipping what it claims is the first intrusion-prevention system (IPS) to correlate IP reputation filtering with signature-based intrusion prevention sensors. TippingPoint has redesigned the threat suppressions engine to be much more powerful at scanning traffic. This allows used to turn on more filters without hindering traffic flow. Juniper, on its part, has expanded its Intrusion Detection and Prevention (IDP) functionality across its different platforms, including firewalls and edge routers.
The first generation of IPS was based on signature detection, which works fine if the attack that’s coming into the network has already been identified and there is already a signature for it and that particular IPS has been updated. However, signature-based IPS doesn’t stop distributed denial-of-service (DoS) attacks, in which an attacker floods Web servers with legitimate traffic, causing them to crash.
Vendors responded by adding a rate-limiting feature to their IPSs. With a rate-based IPS, customers could set limits to the amount of traffic the network could accept. In the event of a distributed DoS attack, the IPS simply throttles back the amount of incoming traffic and thwarts the attack.
Of course, that still left the problem of what to do about zero-day attacks or attacks for which there is no signature. The answer to that is IPSs based on identifying suspicious behavior on the network.
These behavior-based IPS devices are designed to build a map of the network and the devices on the network, then use sets of rules to dynamically block attacks. The advantage of behavior-based IPS devices is that they can react more quickly to unknown attacks. Most vendors today offer IPSs that combine all three types of prevention.
Buying tips
IPSs block traffic using three different methods – signatures, rate control and traffic behavior. Determine which of these methods is relevant to your network, and when in doubt, get an IPS that does all three. “Besides the ease of use and throughput criteria the other major considerations should be the detection and prevention capability along with false positive and specifically false negative rates. Further forensics and tuning must be extraordinary good. A plain IPS that protects against typical vulnerabilities alone does not help you there. Strong IDS and forensic capabilities on top really make a good product,” says Markus Nispel, Director of Solutions Architecture, Enterasys.
Neeti Rodrigues, Regional Sales Director, TippingPoint, agrees that the changing attack landscape is shaping the criteria organizations should use to evaluate IPS products. “The focus for hackers has moved from generalized OS attacks to more custom targets on client-side and Web applications. Further, the increase in mobile computing has disintegrated the network perimetre. “
Organizations looking at an IPS should assess the quality of a solution’s attack coverage. Certainly, there are other factors to consider – reliability, performance, manageability, scalability, and technical support – but given the changing threat nature of attacks listed above, the quality of attack coverage goes to the heart of the value proposition of any potential security solution, she adds.
Management and reporting capabilities is another important factor, according to Tarek Abbas, Sr Systems Engineering Manager, Juniper. He cites the example of role-based administration on Juniper’s IDP that allows for more than 100 different activities to be assigned as unique permissions for different administrators thus streamlining business operations by logically separating and enforcing roles of various administrators.
There are also two high-availability options – active/active mode, which gives you the benefit of the processing power of two IPSs; or active/standby, in which one IPS is handling all the traffic, and the second is standing by in case the first one fails.
But just as the stand-alone IDS was superseded by the IPS, these days the experts are predicting that the stand-alone network IPS will eventually be incorporated into an all-encompassing security device such as UTMs and next-generation firewalls (NGFW). But vendors say though security coverage in NGFW products are being enhanced, it can’t replace IPS while providing the same level of comprehensive security. “We actually see the next generation firewall becoming a feature of IPS, which will ultimately help organizations save administrative resources and costs through robust and integrated policy management,” says Rodrigues.