A little more than three years ago, I witnessed a pilot deployment of an intrusion prevention system (IPS) on a large academic network. The technology in question was a highly touted product from a top-tier vendor (one that's still around today). The product came complete with tons of sales hype, promising to eliminate all network threats and allow security analysts to sleep soundly for the first time in years.
So what happened when it was turned on? As you may have predicted, it crashed within 15 minutes, overwhelmed by an attempt to implement the vendor's "best practice" IPS signatures on an unfiltered Internet connection. After the failed implementation as well as conversations with colleagues from other organizations, it became clear that the organization simply wasn't ready for an IPS (or, better put, IPS technology wasn't ready!).
Three years and a few sales reps later, those same vendors are pounding on doors and making phone calls, promising that the IPS market has "matured" and that it's time to give the technology a second chance. While today's IPS devices can keep up with high-speed network connections and process rulebases more efficiently, I'm not sure that the technology itself has matured; in fact, it hasn't really changed much at all.
Intrusion prevention systems are a basic extension of intrusion detection systems; they watch the network for an attack and, when one is detected, actually prevent it from reaching its destination. This is in contrast to an IDS, which allows it to pass by and then alerts administrators to its presence. Sure, different vendors have added some bells and whistles, like the ability of the IPS to interact with network devices (firewalls, switches, etc.) to implement access control decisions at different points in the network. Over the years vendors have also added the ability to detect emerging technology attacks, such as those against VoIP systems or IPv6 networks.
A successful IPS product, however, boils down to a quality detection engine and smooth user interface. The core technology bears a striking resemblance to the first version of Snort, a popular open-source intrusion detection system that renowned Sourcefire Inc. founder Martin Roesch introduced to the world 10 years ago.
That said, I do believe that the use and adoption of intrusion prevention systems has changed significantly during the past three years. The dramatic changes, however, lie not in the added features, but the best practices adopted by vendors and security professionals for the deployment and maintenance of IPSes.
Here's a quick run-down of some of those best practices that you should follow to achieve IPS implementation success:
Run the IPS in "monitor" mode until it's clear that the system is properly tuned. Deploying an IPS by simply turning it loose on an enterprise network with the vendor's default policy enabled is a huge mistake. (If you don't remember why, reread the first two paragraphs of this article!) It is far safer to deploy the device in monitoring mode, where it functions in a manner identical to an IDS. Keep a careful eye on it until you're comfortable that it's properly enforcing your organization's security policy.
Watch any alerts carefully for signs of false positive detections, and remember that those connections will indeed be blocked once you enable active responses on any of those rules. The key step here is to invest a significant amount of time during the tuning period in analyzing IPS alerts. It's not sufficient to simply count false positives. Dig into them: what if two of those false positives would have blocked the connection from your e-commerce application to the sales database? Save yourself from a career-ending mistake.
- Keep the number of "block" mode rules to a small, finely tuned set. The most successful IPS deployments use a hybrid IDS/IPS approach. Only rules associated with extremely high confidence rates should be set to prevent traffic from traversing the network. For example, if the IPS detects an off-network system systematically sweeping your address space with SSH probes, you'd definitely want to block that traffic. Over the past few years, vendors have picked up on this advice as well. Most now recommend a small core group of "block" rules and leave the remainder in typical IDS alert mode. This is a prudent approach that dramatically increases the likelihood of success for your IPS deployment.
- Consider using a fail-open device. Another downside to IPSes is that the devices must be physically in-line in order to function in "block" mode. As any network engineer will tell you, it's best to have as few in-line devices as possible. Adding single points of failure to a network is problematic and provides everyone else with the opportunity to point at the security team when undiagnosed problems arise.
One way to prevent such issues is to use fail-open technology on an IPS. That way, if the device fails, it acts like a straight copper wire and doesn't cause a complete network outage. If the budget allows, also consider redundant IPS devices configured in high-availability mode.
In summary, yes, the IPS market has matured during the past three years. Those changes aren't so much in the technology itself, but in the way it is deployed and operated. Properly managed, IPS devices now have a significant role in the enterprise security architecture.
About the author;
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
This was first published in May 2008