Don't let trends dictate your network security strategy

More on defense-in-depth This book chapter excerpt examines the future of intrusion prevention systems.

Unfortunately, this is not the first time I've heard people debate the worth of host-based intrusion prevention systems in the enterprise; in fact, I've also heard people remark that host-based intrusion prevention systems' aren't worth the trouble because they're difficult to manage and monitor. Let's examine why this and similar beliefs are false, how host-based intrusion prevention systems use can be beneficial and why moving away from host-based intrusion prevention systems may be risky.

However, before we start reviewing host-based intrusion prevention systems benefits, let's first take a look at host-based intrusion prevention system technology and its proper role in the enterprise. As many readers know, host-based intrusion prevention systems allow the protection of individual systems against attacks. When they detect a potential attack using either signature-based or anomaly-based algorithms, they can ignore the detection, alert administrators to the event or block the traffic altogether. Additionally, host-based intrusion prevention systems are beneficial because:

• Host-based intrusion prevention systems can detect attacks that network-based systems simply can't. Host-based systems have access to detailed data about system processes, resource utilization and device activity that network-based sensors lack. In some cases, analysis of this data may be the only clue that an attack is underway. Consider the case of an insider attack. If the attacker resides on the same local network as the target system, traffic between the two may never come under the scrutiny of a network-based intrusion prevention systems sensor.

• Believe it or not, there are attack vectors other than the network. The movie WarGames may be from 1983, but computers are still attached to telephone lines and the war-dialing technique made famous by Matthew Broderick can be just as dangerous as a network-based incursion. Similarly, an attacker can walk up to the console of your system and begin a brute-force password attack. Network-based intrusion prevention systems are useless in these scenarios.

• Anomaly-based detection techniques are often more effective at the host than on the network. Anyone who's experimented with anomaly-based intrusion detection knows that they can be finicky, at best. These systems rely upon a baseline of "normal" activity and then attempt to detect deviations from that norm. The problem is that, for many networks, there's no such thing as "normal" activity. Individual hosts, on the other hand, may have very clearly defined roles on the network, making network anomaly detection feasible.

And finally, for those who believe host-based intrusion prevention systems are difficult to manage and monitor, that's also largely untrue. Modern host-based intrusion prevention system implementations often use an agent/manager approach that allows centralized enterprise management of deployed systems.

Hopefully, I've convinced you that host-based intrusion prevention systems do indeed play an important role in the enterprise. More importantly, keep this general lesson in mind the next time you hear about a "trend" or "fad" in information security: Defense-in-depth means instituting layers of protection to safeguard your data and systems against many different types of attacks. After all, ivory tower security analysts who declare trends like "the perimeter is dead" often make those pronouncements from behind a strongly defended perimeter!

About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Network Intrusion Prevention (IPS) Network intrusion prevention systems: Should enterprises deploy now? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device VeriSign, AirMagnet team up for wireless IPS Sourcefire, Nmap deal to open vulnerability scanning Interop: Vendors update software, demonstrate new security features McAfee launches IPS for 10g networks, but is IT ready? Network Intrusion Prevention (IPS) Research Network Intrusion Detection (IDS) What are best practices for creating an IDS and maintaining a signature database? Network intrusion prevention systems: Should enterprises deploy now? RSA 2008: Sourcefire founder Roesch previews Snort 3 Screencast: Opening up the Network Security Toolkit Can a firewall alone effectively block port-scanning activity? Should an intrusion detection system (IDS) be written using Java? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? Screencast: Snort -- Tactics for basic network analysis Can Snort stop application-layer attacks? Network Intrusion Detection (IDS) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Diffie-Hellman key exchange  (SearchSecurity.com) intrusion prevention  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.