An ounce of intrusion prevention may cure your network security ills

By Joel Snyder,David Newman and Rodney Thayer
Network World, 02/16/04

Original Article on Network World Web Site

Talk about jumping on a bandwagon. When Gartner last summer declared "IDS is dead, long live IPS," marketeers everywhere picked up the intrusion-prevention system buzzword and ran with it. Like the VPN craze of three years ago, when every product having anything to do with virtualization or privacy got the VPN label, IPS products of every shape, size and description have started to crowd the market.

With our first "In the Wild" IPS test, we've spent the last five months testing 11 products on our live distributed network connecting sites in Los Angeles, San Jose and Tuscon, Ariz., to help sort out the real from the rhetoric. We looked at what the products can detect, how powerful and flexible they are in blocking traffic, and how their management systems can support real network topologies (see How we did it).

This review provides a wealth of data on the features and manageability of these products. However, because these products manage malicious traffic differently, we did not assess performance (see Why no performance tests).

We defined an IPS as an in-line product that focuses on identifying and blocking malicious network activity in real time. We set the in-line criteria because this is the segment of the market that offers the widest array of IPS technology. In doing so, we understand we excluded some good intrusion-prevention technology (see story).

Vendors participating comprised several well-known security firms, including Check Point, Internet Security Systems, NetScreen Technologies and Top Layer Networks; and newcomers Captus Networks, DeepNines Technologies, EcoNet.com, Lucid Security, StillSecure, TippingPoint Technologies and Vsecure Technologies.

These products fall into two general categories: rate-based products and content-based (also referred to as signature- and anomaly-based) products. Products from both sets generally look like firewalls and often have some basic firewall functionality. But firewalls block all traffic except that which they have a reason to pass; IPSs pass all traffic except that which they have a reason to block.

Rate-based IPS products block traffic based on load: too many packets, too many connects, too many errors. In the presence of too much of anything, the rate-based IPS kicks in and blocks, throttles or otherwise mediates the traffic. The most useful rate-based IPS includes a combination of powerful configuration options and a broad range of response technologies (see story).

We also found variation in defining what is too much traffic and in deciding what to do about it. Configuring an IPS to describe "too much" is difficult even for savvy network professionals, and there was little agreement from vendors as to the best approach to limiting traffic. Because rate-based IPSs require frequent tuning and adjustment, they will be most useful in very high-volume Web, application and mail server environments.

Content-based products block traffic based on attack signatures and protocol anomalies (see story). Worms, such as Blaster and MyDoom, that match a signature can be blocked. Packets that don't follow the many TCP/IP RFCs are dropped. Suspicious behavior such as port scanning triggers the IPS.

The best content-based IPSs offer a range of techniques for identifying malicious content and many options for how to handle the attacks, from simply dropping bad packets to dropping future packets from the same attacker, and reporting and alerting strategies. With IDS-like technology identifying threats and blocking them, content-based IPSs can be used deep inside the network to complement firewalls and provide security policy enforcement.