Computerworld
Home News Blogs ReviewsWhite Papers Newsletters IT Careers

resource center


Ads by TechWords

See your link here

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
 

Print edition

What to ask when evaluating intrusion-prevention systems

By Bob Walder, The NSS Group
June 8, 2005 12:00 PM ET
Recommended
(0)
Digg
Share/Email

Computerworld - An intrusion-prevention system (IPS) is part of an overall security strategy to protect your network from attack. The IPS literally prevents an attack by blocking bad stuff, such as viruses or malformed packets, from getting into the company network.
Sitting directly behind the firewall, the IPS examines in detail all the traffic passed by the firewall, reassembles it and "scrubs" it where necessary (removing any attempts at obfuscation or evasion) and compares it to a database of known attack patterns.
This brings us to the first and biggest difficulty faced by anyone when evaluating IPS products -- how effective is the detection mechanism? Asking vendors these questions can help you decide which IPS is right for your company.
What is the coverage like?
The total number of signatures is a well-used marketing trick, but quantity isn't always an indicator of quality of coverage. Sometimes, one well-written signature can detect a large number of exploit variations. However, some vendors with hardware-accelerated products and horsepower to spare will often throw signatures at the problem, with one signature for each variation -- not always the best approach.
Does it rely purely on pattern matching, or can it perform protocol decodes?
A protocol decoder is often the best (and sometimes the only way) to detect multiple exploits for complex vulnerabilities. However, don't believe all the hype about protocol decoders. It's not always necessary to have one, and sometimes, a few well-written signatures can work just as well. (Bear in mind that even a full protocol decoder needs to use pattern or variable matching in order to determine if the protocol-specific content it has extracted is malicious).
How susceptible is it to common evasion techniques?
There are a number of readily available evasion tools out there (fragroute, Whisker, etc.) and at the very least, any IPS should be able to handle them easily. Watch out for any product that comes with IP fragment reassembly or TCP segment reassembly disabled by default. This is often done purely for performance reasons or because the reassembly is suspect. These anti-evasion techniques should always be enabled.
How likely is it that variants of the same exploit or new exploits of the same vulnerability will be detected without a signature update?
What we are looking for here is a product where the signatures are written to detect the underlying vulnerability rather than a specific exploit. This means that when a new variation of an old exploit is produced, the IPS device stands a good chance of being able to block it



Recommend Digg Twitter ShareThis
Email Print Send Feedback Reprints

Additional Resources

POLL RESULTS
Leading IT Pros Weigh In on Top IT Issues
Accelerate your knowledge of the IT world you inhabit by viewing the results of a series of polls taken by your IT peers. These polls of 100+ IT professionals each are available for full viewing. They cover key topics such as virtualization, processor performance, green IT, cloud computing and many others. Be a part of the buzz.
WHITE PAPER
For Best Results, Think Beyond the Box
Technology is complex. Keeping it running productively shouldn't be. To that end, you want to minimize the number of solutions needed in-house to simplify operations, maintenance, and support. Kodak offers a best-practices model. One company provides support for both scanner and software, for fast problem resolution without vendor finger-pointing. Download now!
WHITE PAPER
Accelerating the Path to Demand Intelligence with a Demand Signal Repository
Utilizing demand intelligence improves the precision of pricing, product assortments, channel/store placement, and promotion, which are all essential for sustainable revenue management performance. Learn more, download this free whitepaper today.

White Papers & Webcasts

File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
Learn how integrity monitoring software solutions enable IT organizations to achieve and maintain configuration control. Tripwire® Enterprise is the first solution to effectively...  

Managing And Protecting Your Ever Increasing Mobile Assets
(Source: Absolute Software) Your users are becoming more mobile each day. This is great for productivity - yet challenging for IT control. Natalie...

Differentiating With Technical Support: JBoss Customer Support Study
JBoss' expert technical support services is clearly acknowledged by its client base. The comprehensive nature by which their service is unsurpassed. Every category...  

IDC Webcast: Linux Adoption in a Global Recession
Join Al Gillen from IDC and Michael Applebaum from Novell in this on-demand webcast to see how Linux has emerged as an even...

The JBoss SOA Assessment Tool: Spend Less, Do More
SOA does not have to be overly complex or expensive. The JBoss SOA Assessment Tool can help you chart a course to a...  

Novell Opens PR Video
Is the Linux desktop for me? Customers are looking for ways to be more flexible and save money. Using Linux offers a great...

The CIO's New Guide to Design of Global IT Infrastructure
Is it possible to eliminate the impact of distance? This paper explores the 5 key principles successful CIOs are using to redesign IT...  

2 Minutes to IT workload automation
Take just 2 minutes to watch this short CONTROL-M flash video. Well show you how BMC CONTROL-M can put money back into your...

IBM Lotus Notes Performance Brief
This is a Performance Brief that illustrates how Riverbed Steelhead appliances accelerate Lotus Notes R7....  

Security Configuration Management
In this web video, follow along with Jim Hansen, Senior Product Manager with Big Fix, as he explains why Security Configuration Management is...

All White Papers | All Webcasts

Computerworld Reports

An Interactive eBook: Enterprise Security

The Business Case for Server Virtualization

Computerworld Technology Briefing: Intelligent Users Use Business Intelligence

All Computerworld Reports
 
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.