Erecting Barriers

Intrusion-prevention systems don't just tell you there may be an attack -- they block it.

By Drew Robb

Computerworld |

There are two approaches to fighting viruses: prevention or cure. With networks, you can use an intrusion-detection system (IDS) to tell you when there is a problem or an intrusion-prevention system (IPS) to block it in the first place.

The Weather Channel Interactive Inc. in Atlanta, for example, picked up suspicious activity via an IDS. For several days in a row, it detected a high amount of traffic coming in for a specific server port from 1 a.m. to 3 a.m. "My concern was that if it was a probing attack and they were doing it off shift, I had to watch out for when they did a real attack during prime shift," says Dan Agronow, vice president of technology.

This kind of after-the-fact probing is like using a thermometer to confirm that you are indeed running a fever -- much too late to prevent infection. The Weather Channel wanted to be able to react quicker and keep up with the latest attack patterns happening on the Internet. It installed UnityOne 1200 intrusion-protection appliances from TippingPoint Technologies Inc. in Austin. "Now when we get attacked, we have the forensic information we need and the ability to block it," says Agronow.

Block and Tackle

Intrusion protection is one aspect of a complete defense-in-depth strategy. It supplements but doesn't replace other layers already in place.

"Don't think that these products are something that will eliminate the need for spam filters, personal firewalls or whatever else you are using," says Brian Philips, director of security at Network Systems Technology Inc. in Naperville, Ill., which provides managed networking, storage and security services. "IPS is part of a defense-in-depth strategy, not a replacement for what you already have."

IPSs address some of the shortcomings that became apparent as companies deployed IDSs. While the latter tell you there may be an attack, the former seek to block it. In that sense, an IPS is similar to a firewall, but it takes the opposite approach.

"Firewalls and network IPS, though they appear to be very close to each other, are complementary but very distinct products," says Greg Young, an analyst at Gartner Inc. "Firewalls block everything except what you explicitly allow through; an IPS lets everything through except what it is told to block."

The biggest concern with setting up an IPS is the problem of false positives: mislabeling legitimate traffic as malicious. Unlike an IDS, which sits off to the side and alerts only when it detects a potential problem, an IPS sits in-line and actively blocks traffic. Although vendors have gotten better with their identification algorithms, they are far from perfect.

"False positives are still a huge problem, so much so that it severely affects the value proposition of an IDS or IPS," says Paul Stamp, an analyst at Forrester Research Inc. "Users are still really fearful that their IPS will end up effectively performing a denial-of-service attack on their infrastructure."

To get around this, most devices are designed for a three-phase deployment. Philips describes the steps he took to set up a Sensitivist 500 IPS from NFR Security Inc. in Rockville, Md., for the Multiple Listing Service that Florida real estate agents use to share property information. It took 10 minutes to install the equipment and load some IP addresses for reporting. The box then operated in bypass mode, which means it didn't block anything.

"We started by having it stop nothing, tag everything and then start turning stuff on," he says.

Tuning took place over the next eight hours. During the second phase, the IPS still didn't block anything, but it generated reports of what it would have blocked. Philips then reviewed this data and decided whether he wanted the IPS to block that type of traffic. The third step was to activate the IPS, using the rules Philips had established. He then scheduled two other follow-up sessions to further tune the blocking.

Young suggests, however, that one way to avoid false positives is to avoid tightening down rules too much. Although this means that some malicious traffic will get through, this approach still has value. "There is incredible value to be gained just from blocking the clearly bad stuff," he says. "Then they can learn more about the gray areas and decide what else they want to stop."

A Step Beyond

Improved security isn't the only benefit from installing an IPS. Matt Merritt, vice president of operations at Beal Service Corp. in Plano, Texas, which provides administrative support to other units of Beal Financial Corp., installed TippingPoint UnityOne 2400 units as part of complying with regulatory requirements governing protection of customer information. But he also found that it cut down the load on the rest of the network. "The overall performance on our network has generally improved, due in part to TippingPoint's traffic normalization feature, which filters out bad or malformed packets," he says.

The University of Georgia's chief information security officer, Stan Gatewood, reports that putting in an IPS allowed him to see what was on the network and gain better control. "When we took a look at the network, we were shocked at the protocols that were running around out there," he says. "We can now narrow it down to the standards and protocols we will support and block the rest."

However, although these added benefits have value, the primary advantage is still the ability to block threats at the gateway, so the other layers don't need to deal with them.

"There's no reason to let Blaster into the network," says Gartner's Young.

Robb is a Computerworld contributing writer in Los Angeles.

Proactive Security

Stories in this report:

Security

Bing’s AI chatbot came to work for me. I had to fire it.