Traffic normalisation on IPS technology is supposedly causing problems for networks

Modern intrusion prevention systems (IPS) are forcing organisations to choose between performance and a maximum level of security.

Ash Patel, country manager for UK and Ireland at Stonesoft, said that this is a ‘familiar' flaw within network security, despite technological advancements. He said: “Most IPS devices, no matter how well they fare in industry tests, are still compromised by their inability to balance advanced inspection with high traffic volumes.”

He also claimed that many solutions that deliver ‘normalisation' are too poor to be of practical use against evolving threats. Patel said: “Researchers in the field of evasions understand that traffic normalisation is the Achilles' heel of IPS. This process, which is responsible for correctly interpreting strange and possibly malicious traffic, is required to adequately protect the network against threats.

“Evasions and other network threats have become more prevalent and more advanced in the way they are designed and delivered. However, traffic normalisation is also a time-consuming process, which threatens to slow down overall network performance.”

He also claimed that fixing the problem is not simple as ‘hearing' the conversation more clearly, (or implementing more aggressive traffic normalisation) which will noticeably slow down the network. He said this is which is unacceptable and security vendors are unable to easily resolve the problem because the filtering process is closely tied to a hardware-based architecture and normalisation has traditionally only occurred at the TCP/IP level.

Speaking to SC Magazine, Matt Jonkman, CEO of Emerging Threats Pro and creator of the open source IPS technology Suricata, agreed with Patel, saying that with more rules there is less throughput and that means a lot of traffic.

He said: “People are spending £10,000 on appliances but they only have one core processor. Where we come with Suricata we have 24 core tools and we are doing IPS specifically.”

Sign up to our newsletters