Intrusion prevention systems (IPSs) are becoming ubiquitous in the minds of enterprise buyers. However, the problems of intrusion detection systems (IDSs) have not gone away, and many organisations have an overinflated view of these systems. Moreover, the vendors and popular press continue to perpetuate numerous myths around this narrow but useful capability.
META trends indicate a threat and vulnerability management integration will accelerate, with intrusion detection (under the guise of 'intrusion prevention') capturing more vulnerability and asset information (2004/05). Although automated response to alerts will be commonly available, organisations will make limited use of it through 2005/06. Managed services of various types (eg, vulnerability alerts, intrusion detection systems) will continue to experience increased demand, but despite vendor consolidation, maturity will lag for many disciplines through 2007.
IPS is a new technology: despite the fervour over IPS, prevention technologies are not entirely new. Most represent normal, expected advancements in intrusion detection that are now placed in line with traffic to make blocking decisions before traffic is forwarded. While placing detection mechanisms in line makes certain requirements on the architecture and administration of these products that otherwise would be unnecessary in traditional out-of-line intrusion detection systems, this does not make them entirely different technologies. A network IPS, for all intents and purposes, is an inline detection system that can block packets meeting detection criteria. There is nothing unique about IPS that makes it better at detection, faster, or more capable than a traditional IDS, except that, given its inline architecture, it must be better at all those elements or it will cause more problems than it solves.
IPS is comprehensive: IPS is not more comprehensive than other security technologies. IPS can block vulnerability exploitation traffic before it reaches its target. However, it does not block all exploitations, it is limited by the increasing use of encrypted traffic (SSL), it does not block all vectors that malicious code takes to enter an enterprise (walk-in worms), and most enterprises will not deploy ubiquitous IPS on every segment. Other security technologies (eg, antivirus, antispam, URL filtering, Layer 7 monitoring) will still be necessary.
IPS will replace IDS (IDS is dead): most signature-based IPSs have about 2000 signatures, but most enterprises enable only about 25-50 of those in full blocking mode. A signature should be placed in blocking mode only if it detects accurately 100% of the time and the detected traffic is malicious 100% of the time. This explains IPS's narrow band of applicability across all bad traffic that can be detected. There is, however, a much larger set of signatures that represent threatening traffic to which a security operations centre would want to be made aware but not necessarily block automatically.
This is essentially what a traditional IDS does.
The marketing hype would have buyers believe they do not need IDS anymore, when in reality 95% of the applicability of their IPS is in IDS mode. The low number of applicable IPS signatures will remain below 100-200 for most enterprises through 2006. Most IDS vendors will create an inline capability by 1H05. Due to performance/scalability issues, for example, there will be continuing demand from a sizeable market segment for out-of-line, detection-only solutions. Organisations must still fix their processes around tuning IDS and handling suspicious events that were not automatically blocked. This situation will not change.
IPS blocks zero-day attacks: again, there is nothing special about IPS except that it is an inline detection mechanism. The implication here is that the detection mechanism can block previously unknown threats. While mechanisms that claim this capability (eg, anomaly detection, root-cause signatures, heuristics) are becoming more prevalent, it is the mechanism that should be evaluated, and not the fact that it resides in an IPS.
In fact, blocking zero-day threats requires some projection and analysis on the part of the detection mechanism, which introduces uncertainty to the process and should reduce the faith an enterprise has in deploying these mechanisms in blocking mode. In this respect, zero-day detection and IPS are risky in combination.
Everyone must have IPS: the trend for inline detection is becoming ubiquitous, and due to the useful band of applicability in these devices, it will make sense for most enterprises to have some level of blocking in their network to prevent the spread of worms. The myth that all the problems of IDS have gone away with the advent of IPS will be exposed as organisations deploy these systems and deal with their limitations (through 2006).
Firewalls and IPS are converging: The technologies that make up firewalls, IPS, and IDS are starting to blur. Firewalls are fundamentally access-control devices positively configured based on security policy, enabling known entities to connect to known services and objects. IDS and IPS, on the other hand, are monitoring devices that ensure that security policy is being followed, in addition to blocking known malicious traffic.
Separation-of-duties concerns should cause enterprises to separate access-control decisions from the monitoring of those decisions.
Organisations should have two separate teams for configuring their firewall and monitoring the enterprise independent of whether they use the same device. Vendors of these multifunctional devices should provide separate interfaces to accommodate this requirement.
IPS has a narrow band of highly useful applicability: as stated, most organisations use only 25-50 signatures of a possible 2000 in full blocking mode. This is mainly caused by misbehaving enterprise applications that generate traffic that looks malicious to detection mechanisms. However, the signatures that can be enabled, though relatively small in number, have proven to be very useful at blocking many of the recent worm attacks.
IPS is a DOS threat to the enterprise: minimising false-positives is not good enough; it must be perfect. Most organisations have trouble turning on more than a small number of blocking signatures because these mechanisms, if not properly tuned, will crash enterprise applications. Every organisation is different, so it does not appear possible to develop a common set of techniques for tuning effectively across multiple enterprises. The main factor in deploying and tuning blocking mechanisms in production environments is trusting that legitimate traffic will not be blocked. This trust must be based on thorough testing and sign-off of the associated risk within the organisation.
Anomaly-based IPS is risky: anomaly detection mechanisms, regularly associated with IPS, model good behaviour and look for deviations.
While the promise of low administration and detection of previously unseen attacks is an attractive combination, blocking should be done only for positively identified misuse, which anomaly detection is challenged to do on a consistent basis. Anomaly detection is more successful in stable environments with closed event spaces where good behaviour can be completely described (ie, protocol anomaly detection). Anomaly detection based on tracking patterns of entities, objects, and services is much more risky.
The bottom line is that IPS is becoming ubiquitous, but many organisations misunderstand the value proposition. IPS, like all security capabilities, has advantages and disadvantages that should be fully understood before acquisition. The impact on business is that IPS has a narrow but useful band of applicability in combating common worm and vulnerability attacks.