Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Finding enterprise IPS nirvana: Granular data and simplicity

More granular data is needed from an enterprise IPS than ever before. Brad Casey explores why and reveals other ways to get the info sought.

In the not-too-distant past, it became readily apparent that securing a network by simply installing endpoint security products on each node is less than ideal. While endpoint security products play an important role in an enterprise security strategy, over-reliance on these technologies -- the network's "last line of defense" -- is often ineffective. Organizations eventually came to the realization that leveraging the network as a source of security information provided much added value and insight that was unavailable at the endpoint.

What is expected of today's IPSes far exceeds what they can actually handle.

At first, organizations leveraged access control lists at the router level. While this method greatly simplified the process, enterprises soon found that routers only provided rudimentary security functionality and didn't offer the ability to apply granular security policies, hence the development of intrusion prevention systems (IPSes) and firewalls. Though these devices were initially configured to offer better insight of inbound and outbound traffic than a router, the IPS was expected to be as specific as the traditional endpoint device in terms of packet examination. Needless to say, times have drastically changed and what is expected of today's IPSes far exceeds what they can actually handle.

In an October 2013 article published by the SANS Institute, the majority of respondents to a recent survey seemed to be generally pleased with the performance of their enterprise IPS. However, a common complaint pertained to the lack of detailed inspection performed by their systems.

In this tip, we will explore why enterprises want higher levels of granular data from their IPS in four key categories: application awareness, context awareness, content awareness and full stack inspection, and how to strive for those objectives without losing the simplicity an IDS provides.

Application awareness

Application awareness pertains to a device's ability to identify the specific applications in use on a network and tailor its security analysis to those specific applications. This information can dramatically reduce the false positive rates of intrusion prevention systems and allow security staff to focus on the most relevant alerts.

For example, an IPS might be monitoring network traffic from a particular user browsing the Web and notice a potential attempt to remotely exploit a known vulnerability in Internet Explorer. If the IPS is application-aware, it will identify the specific browser the individual is using and assess the security risk in light of that information. A user making the request with a vulnerable version of IE might have his or her traffic immediately blocked, triggering an alert instructing information security staff to immediately investigate further. Alternately, a user making the same request on Google Chrome might trigger a less drastic response, as the exploit would not succeed in Chrome as it might in IE. In that case, the alert might still be recorded, just with less urgency. When possible, security staff would want to follow up and instruct the user on safe browsing habits.

Deploying IPS technology that incorporates application awareness allows the system to intelligently block only those threats that are likely to succeed. This greatly reduces the false positive rate, minimizes the impact on the business and increases user satisfaction.

Context awareness

Is VPN traffic allowed on a given network? What about on the weekends? Can VPN traffic come in from overseas?

While many enterprises may have legitimate reasons as to why the answers to these and other context-related questions would be yes, what is considered legitimate network behavior by one company may be considered extremely suspicious by another. For example, a certain protocol may be completely authorized by company policy, but the way in which the protocol is utilized may trigger suspicion.

Say a particular company's policy allows the use of Remote Desktop Protocol (RDP), but only within a certain geographical area. If security personnel examine the logs on Monday morning and find that RDP was indeed used but the connection was made from India, it would prompt further investigation, especially if the organization has no dealings or interests within India. In this case, the possibility that an unauthorized network intrusion occurred must be assumed until proven otherwise.

This type of context awareness capability has long been a component of many IPS technologies, and security professionals should take steps to leverage it as much as possible. IPS rules may be tweaked to not only incorporate geolocation context, as described above, but also include information on user identity, system/application patch status and other important sources. For example, the RDP scenario described above could be implemented in an IPS rule and automatically block login attempts from unusual locations. Going a step further, the organization's directory could be updated to indicate when users travel to India so they might be exempted from that rule, combining location and identity awareness in a single rule.

Content awareness

In its report, the SANS Institute demonstrated content awareness in regards to whether an IPS could distinguish between LinkedIn, Facebook and YouTube. This is a simple example, but in practice analyzing application or content traffic can become much more involved. For example, can an IPS determine when an inbound executable is traversing its network interface? Does it know when PDFs or Microsoft Office documents are attempting to enter the network? If so, can it conclude if these file types are carrying a malicious payload?

Modern IPSes are capable of answering all of these questions, and administrators may design security policies that trigger content-aware responses. For example, when the IPS identifies a user downloading a PDF email attachment, it can send the PDF off for an immediate malware scan to identify the potential presence of any known PDF exploits. If the attachment is suspect, it would be removed from the email and/or quarantined for further inspection by security professionals.

Full-stack inspection

Perhaps the most computationally expensive task performed by an IPS, full-stack inspection involves a detailed and therefore process-intensive examination of all inbound and outbound traffic.

Full-stack inspection involves the examination of the entire packet from IP headers, payload and all application data encapsulated by the IP header information -- hence the term full-stack inspection. So when a packet attempts to enter a network protected by an IPS, the system may be configured to:

  • Open each IP packet
  • Ensure that nothing untoward is happening at the IP layer
  • Delve into the TCP layer and ensure that the TCP packet is not in violation of any time-out rules
  • Examine the application layer, determine the type of application and check the content of it to ensure that it doesn't match any known malware signatures

Because the full-stack inspection process is so involved, it is vital that the IPS be capable of handling high throughput; otherwise, the risk of dropping legitimate packets becomes a real possibility. Generally speaking, enterprises should purchase an IPS capable of processing data at the maximum speed possible. If an organization has a 10 Gbps network and a 1 Gbps IPS, the IPS will quickly become a bottleneck and limit throughput on the network. Furthermore, it is likely because of this highly involved, computationally expensive process that people surveyed in the SANS report wished for one thing, but oftentimes received something less.

Full-stack inspection ties together the concepts of application- and context-awareness. This capability of modern IPS technology allows organizations to go beyond the "one packet at a time" approach used by early IPS systems and take advantage of the full range of information available. Security administrators should analyze their IPS rulebases to ensure they are using these capabilities and refine the rulebases wherever possible.


Modern intrusion prevention systems have improved network security by leaps and bounds. They have not only been able to offload much of the processing involved with securing the network boundary, but have also proven to drastically improve efficiency.

However, as technological improvements continue along an upward trajectory, the same can be said for end user expectations, which may never be fully met. Though organizations initially employed an IPS to offload some of the security burden, they have come to seek further granularity in data, which will often make the situation more complex. But the more information collected by an organization, the more likely they are to enhance their enterprise IPS, reduce the number of false positives, mitigate a greater number of threats, and boost the overall security posture of the organization.

About the author:
Brad Casey holds a Master of Science degree in information assurance from the University of Texas at San Antonio and has extensive experience in the areas of penetration testing, public key infrastructure, VoIP and network packet analysis. He is also knowledgeable in the areas of system administration, Active Directory and Windows Server 2008. He spent five years doing security assessment testing in the U.S. Air Force, and in his spare time, you can find him looking at Wireshark captures and playing with various Linux distributions in virtual machines.

Editor's note: SearchSecurity expert Mike Chapple contributed to this article.

This was last published in January 2014

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.