Intrusion prevention: IDS' 800-pound gorilla

Intrusion-prevention systems are getting lots of attention from vendors and potential enterprise customers, but neither group can nail down a definition of what an IPS.

Intrusion-detection systems do a good job of telling companies whether they are being compromised or attacked. So good, in fact, that some question whether systems should go a step further and prevent incidents.

It doesn't seem much of a stretch to have systems "flip a switch instead of alerting" when an anomaly is found, said Pete Lindstrom, research director of Malvern, Pa.-based Spire Security.

While the phrase "intrusion-prevention system" has entered the security lexicon, it's still too early to say exactly what an intrusion-prevention system is because companies use the term a half-dozen different ways. Some use the term to describe next-generation IDS systems that can block certain kinds of attacks. Others use the term more broadly and include firewalls, for instance, in the intrusion-prevention category, since firewalls can block certain attacks.

Intrusion protection systems generally sit in-line on the network. They monitor the network much like an IDS system but when an event occurs, they take action based on prescribed rules. Companies can tweak such rules so the systems respond in the way they would.

Robert Lonadier, president of RCL & Associates, a security consultancy in Boston, is in the latter camp. He sees "intrusion prevention" in a more general sense. "Anything that can prevent unauthorized access to your computer networks," he said.

Lonadier, however, notes that the industry tends to define the term more tightly. Essentially, intrusion-prevention systems are next-generation IDS that "can do something after they detect intrusions," he said.

Taking preventive action is easier said than done. Such a system would need to be a "bump on the wire" and, hence, could pose a threat itself since it would be a single point of failure, Lindstrom said.

For example, an attacker could figure out a way to trick an intrusion-prevention device into shutting down a network by doing a bogus kind of attack, Lonadier said. Such is the problem when you take the human element out of security. "You never want to cede control to automated responses," Lonadier said, noting that most responses require human intervention. Allowing automated responses is like "arming security cameras with tear gas," he said.

Lonadier sees a place for intrusion prevention, but not to the exclusion of IDS. Intrusion prevention can be good for simple nuisance attacks. For example, the recent Slammer worm would have been prime for intrusion prevention, since addressing it was a matter of closing a port, he said.

Perhaps the most pressing question about intrusion prevention, in the stricter sense, is whether it should replace traditional IDS. Some companies are blurring the line between IDS and intrusion prevention. For example, Latis Networks, of Superior, Colo., offers Border Guard, which can do both. Rajat Bhargava, the company's president and CEO, said this week that intrusion prevention is a logical outgrowth of IDS, not just marketing jargon. "Plenty of our customers are looking for intrusion prevention," he said.

Border Guard allows users to ease into intrusion prevention. They can run it as strictly IDS for a while to see what kinds of attacks are on the rise. They can then use it to take preventative steps for events.

Other companies, however, see their intrusion-prevention products as usurping IDS. Martin Roesch, cofounder and CTO of Columbia, Md.-based Sourcefire, which sells the commercial version of the open-source intrusion-detection system Snort, rejects such a suggestion. "Anyone who tries to sell you an intrusion-prevention system at the expense of an intrusion-detection system doesn't understand the problem stack," he said. "Intrusion prevention is access control. Intrusion detection is monitoring."

Sourcefire will probably play in the intrusion-prevention space at some point. "We see value in having an access control role on the network as well as a network-monitoring role, because it allows us to leverage the information to enhance monitoring and protection," Roesch said. "You can't have one without the other."


FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "It makes sense to outsource IDS, experts say"

SearchSecurity.com news exclusive: "Network security checklist a best-practices reminder"

Listen to this archived SearchSecurity.com webcast: "Ins and outs of behavior-based intrusion detection"

Best Web Links on intrusion detection

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close