This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
The term "network IPS" doesn't inherently imply any one way of preventing intrusions. In fact, different products use radically different technologies because "security" means radically different things to different people.
This is a crowded and disparate market. Products range from high-performance standalone appliances to add-ins to existing firewalls. Although there are common denominators between some products that segment the market into broad, overlapping categories, the underlying design goals and capabilities vary widely.
There are three fundamental IPS detection technologies: signature-based (including protocol anomaly), rate-based and behavioral (such as network anomaly). While it may include some pieces from all three, each product features one of these as its primary technology.
Based on your needs statement, decide which of these three is most important to you overall and most appropriate for your application:
- Signature-based IPS dominates this market and includes standalone appliances, embedded IPS technology in firewalls and remotely managed service-based devices. They don't rely entirely on signatures to detect malicious or improper behavior. For example, they often include protocol anomaly detection, which looks for application or TCP/IP behaviors that are either non-standard or far from the normal behaviors; this helps detect zero-day attacks before a signature is available.
- it's critical to catching common exploits, signature-based detection is only as good as its signatures, which are difficult to write. Evaluating signatures is tough, in part because most IPS vendors don't leave them open for inspection. Although signature writers' mantra is "block the vulnerability, not the exploit," their Achilles' heel is their inability to identify every possible permutation. As a result, most signature-based IPSes are best at detecting common exploits (for example, by attackers simply trying tools they've downloaded from the Internet).
- Rate-based IPS is primarily designed to mitigate and protect against DoS attacks; it closely watches the rate at which connections come into high-performance application servers, most typically Web servers. Rate-based IPSes take an active part in monitoring, controlling and filtering connections.
The best rate-based IPS will shield servers from bad connections during periods of stress by acting as proxies to ensure that there is someone "alive" on the other end. More sophisticated rate-based IPSes, appropriate for huge application server farms, offer a myriad of fine-tuned controls, but the basic technology can be built into any inline IPS device or firewall. These technologies scale down very well and can easily protect small- and medium-sized businesses with Internet-facing servers from many types of DoS attacks.
- Behavioral IPS tracks network flows and traffic patterns, issuing alerts when it detects changes and, in extreme cases, blocking or throttling traffic. It is more of an intrusion reaction and alerting technology than a prevention tool. Behavioral IPS is poor at detecting or blocking specific incoming attacks, most of which are based on a specific data stream embedded in a normal protocol transaction and are not actually changes in behavior. They are, however, very good at identifying systems that have become infected and are now attacking other systems and users, or which have become bases of operation for hackers.
Behavioral IPS is also valuable for viewing large, complex networks, where the actual flows generally are not fully understood. You may consider purchasing a behavior-based system for that reason alone.
This was first published in February 2007