A little more than three years ago, I witnessed a pilot deployment of an intrusion prevention system (IPS) on a large academic network. The technology in question was a highly touted product from a top-tier vendor (one that's still around today). The product came complete with tons of sales hype, promising to eliminate all network threats and allow security analysts to sleep soundly for the first time in years.
So what happened when it was turned on? As you may have predicted, it crashed within 15 minutes, overwhelmed by an attempt to implement the vendor's "best practice" IPS signatures on an unfiltered Internet connection. After the failed implementation as well as conversations with colleagues from other organizations, it became clear that the organization simply wasn't ready for an IPS (or, better put, IPS technology wasn't ready!).
Three years and a few sales reps later, those same vendors are pounding on doors and making phone calls, promising that the IPS market has "matured" and that it's time to give the technology a second chance. While today's IPS devices can keep up with high-speed network connections and process rulebases more efficiently, I'm not sure that the technology itself has matured; in fact, it hasn't really changed much at all.
Intrusion prevention systems are a basic extension of intrusion detection systems; they watch the network for an attack and, when one is detected, actually prevent it from reaching its destination. This is in contrast to an IDS, which allows it to pass by and then alerts administrators to its presence. Sure, different vendors have added some bells and whistles, like the ability of the IPS to interact with network devices (firewalls, switches, etc.) to implement access control decisions at different points in the network. Over the years vendors have also added the ability to detect emerging technology attacks, such as those against Vo
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
IP systems or IPv6 networks.
A successful IPS product, however, boils down to a quality detection engine and smooth user interface. The core technology bears a striking resemblance to the first version of Snort, a popular open-source intrusion detection system that renowned Sourcefire Inc. founder Martin Roesch introduced to the world 10 years ago.
That said, I do believe that the use and adoption of intrusion prevention systems has changed significantly during the past three years. The dramatic changes, however, lie not in the added features, but the best practices adopted by vendors and security professionals for the deployment and maintenance of IPSes.
Here's a quick run-down of some of those best practices that you should follow to achieve IPS implementation success:
One way to prevent such issues is to use fail-open technology on an IPS. That way, if the device fails, it acts like a straight copper wire and doesn't cause a complete network outage. If the budget allows, also consider redundant IPS devices configured in high-availability mode.
In summary, yes, the IPS market has matured during the past three years. Those changes aren't so much in the technology itself, but in the way it is deployed and operated. Properly managed, IPS devices now have a significant role in the enterprise security architecture.
About the author;
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
