Are intrusion prevention systems worth the effort of managing them? Or can you get away with a good firewall? Rob Buckley investigates.
It's a familiar story to Donal Casey, one he's seen many times. As a security consultant at Morse, he has installed several intrusion prevention systems. But he went back six months after installing an IPS at one client only to find they had unplugged their new IPS and put it in a storeroom. “They just couldn't cope with it,” he recalls.
As the latest step up the evolutionary ladder from intrusion detection systems (IDSs), IPSs try to block attacks rather than just warn that a possible attack might be under way. Many companies, including traditional security companies and networking vendors such as Cisco, Symantec, Check Point and McAfee, have begun to provide IPS systems. But the first generation of IPSs proved a management nightmare to many customers, or were simply ineffective. So is the latest generation any better?
“Years ago, when IPS was an emerging technology, it had all sorts of issues,” recalls Andrew Wilson of the Information Security Forum. He has been watching the market since the emergence of IPS and over that time, little has happened to change his views.
“[There are] things to do with signature distribution, things to do with false positives, things to do with false negatives. There is the intense amount of effort needed to tune and get the right amount of management reporting. I think people now recognise that all of that is bedevilling IPS. The problems haven't gone away.”
Although approaches vary, intrusion prevention systems typically monitor the corporate network, either on the hosts that are likely to be attacked or on network devices. They are not just looking at the traffic itself, but also at the content of the traffic, trying to detect either malicious behaviour designed to exploit particular vulnerabilities or malicious content in the payload, such as a worm, virus or trojan.
The problems with many IPSs have been the questions of false positives and false negatives – what happens when the IPS wrongly identifies legitimate traffic as malicious, or misses an actual attack, thinking it was legitimate. If the IPS blocks legitimate traffic, it is effectively creating its own denial-of-service attack. And if it lets through an actual attack, of course, the network it is supposed to defend is compromised.
The result was a thumping manage-ment head-ache for many early IPS users. Configuring the IPS to the correct degree of sensitivity was often a tediously long and labour-intensive process that could still often result in a poorly calibrated system. Dealing with constant reports of potential malicious activity was also more than most IT staff had the resources to cope with. The result was an IPS that was often ignored or turned off altogether.
According to Dave Beesley, managing director of security consultancy Network Defence: “Customers are not really buying into this space. There is a perception that it's not really value for money and that the security budget is quite tight. I don't think historically there's been a compelling case provided for IPS, which I think the industry has begun to recognise.”
Yet many users still stuck with IPS. The requirements of auditors, typically for compliance, have proved a factor behind many such installations. “In the enterprise area, compliance is a major factor,” adds Beesley. “It can be a requirement of the auditors to have an audit trail. For SOX compliance, it's a useful tool for auditors to see logs of attacks being stopped.”
But genuine security concerns have also motivated organisations to invest in an IPS. There are now so many malicious internet attacks, mainly from automated “script kiddie” attacks, that the CERT security organisation has stopped recording the number, regarding it as meaningless. Despite a decrease in malware releases, last year IBM's Global Business Security Index Report saw an increase in attacks with criminal motivation, and expects that trend to continue. In particular, 2005 saw the arrest of cybercriminals around the world who were found to have links to organised crime. Many more were motivated by financial gain rather than destruction or ostentation.
Cal Slemp, vice-president of IBM's security and privacy services division, says the company believes the environment has shifted. “We are seeing organised, committed and tenacious profiteers enter this space. This means that attacks will be more targeted and potentially damaging.”
The attacks are mostly being targeted at high-profile companies, such as Google, but companies that operate in lucrative market areas such as finance are being targeted as well. Peter Rendell, CEO of IPS vendor Top Layer, says many of these attacks are variants on an older theme: “They're usually extortion: we'll take your site down if you don't pay a ransom.”
He recently installed an IPS at a major telecoms client that was worried about bandwidth being siphoned off and used for other people's profit, typically in VoIP schemes – a variant on a common technique used against telecoms firms in the 70s. “Google pays millions each year for its bandwidth. It stands to lose that if others steal its bandwidth,” he explains.
While the need for a working intrusion prevention system might therefore exist and be growing as attacks become more sophisticated, the question still remains as to whether the latest IPSs are capable of defending against them.
Certainly, the systems at the very high end can provide very powerful defences against attackers, but for the mid-range, some doubt remains. The Information Security Forum's Wilson believes his research suggests that, while IPSs have improved, they still don't have what it takes to provide cast-iron protection against attacks.
“The thinking with IDS and then IPS seems to be of ‘jam tomorrow'. But it has never worked quite that well.”
As high-end attackers begin to use a blend of techniques, including social engineering, and more and more legitimate traffic travels through the web server port 80, thanks to web services enabled, it's far harder for IPS to provide complete protection without having to perform in-depth scans of traffic content.
While computing power has increased, being able to cope with the amount of data that might arrive down a gigabit Ethernet connection is still more than most systems can cope with.
Both vendors and analysts agree that expecting an IPS to defend against everything is impossible. Indeed, in many cases, all that should realistically be expected of an IPS is the ability to block the majority of attacks, warn of other potential threats and maintain a forensic log in case of penetration.
“Some things could well get through,” admits Cisco security consultant Kevin Regan. Although Cisco's host-based IPS, the Cisco Security Agent, has a good track record of protecting against zero-day attacks, he warns that it's difficult to make any predictions. “There are hundreds of thousands of viruses out there,” he explains.
Instead, he advocates a more “belt and braces” approach, with IPS potentially giving a window of comfort for organisations, during which they can tighten their security, apply patches and so on, when they become aware of a problem thanks to the IPS.
Similarly, Scott Lucas of Extreme, which sells network-based IPSs, suggests that the behavioural analysis tools used by most IPSs need time to become ‘sure' of an attack; certain hosts might need to be “sacrificed” on the network before the IPS can decide with certainty that traffic is malicious and block it.
If an organisation decides that it does need an IPS, this works best as part of a unified security strategy. Relying on an IPS by itself to protect against all attacks would be foolhardy. However, relying on a combination of dedicated anti-virus, firewall, IDS and IPS technology, among other tools, should be enough to protect most organisations against the majority of attacks while providing the necessary forensic evidence afterwards.
This approach does bring with it some increased management requirements, although these are not as great as the requirements imposed by earlier IPSs.
As Paul Brettle, systems integration company Stonesoft's country manager for the UK and Ireland, puts it: “There are a few large American companies that say it's as simple as a click of a button. Get a life: it's never going to happen. That's massively over-simplified.”
But it can become a manageable technology, with improved integration with security management consoles, improved intelli-gence in the devices, and improved imple-mentation strategies.
Most organisations, however, don't need an IPS, adds Brettle: “If you have a good firewall, you probably don't need one.”
IPSs are an evolution of IDS; they still require management and fine-tuning, although those problems are being reduced. For many organisations, they are unnecessary. They are certainly not a panacea. But for those high-risk businesses that are prepared to invest time and money managing it, and who are able to use the technology in conjunction with other proven security systems, IPS has the potential to protect against many of the minor – and some of the major – security problems facing organisations today.
Intrustion Prevention and Detection
There are two main types of intrusion prevention system, each offering different forms of protection:
Network intrusion prevention systems
These hardware and software platforms analyse network traffic. Most IPS systems are able to analyse both low-level TCP/IP traffic and higher level protocols, such as HTTP and FTP, for signs of malicious activity. Since they prevent attacks, there is no risk of the attack having an effect on the target and the load on the target system is reduced.
Host-based intrusion prevention systems
These install software on servers and devices that need to be protected against cyberattacks. Typically, they contain vulnerability profiles and technology designed to protect the specific host platform on which they are installed – or potentially just a specific application – rather than all possible targets. This should result in less demands on the host than a general-purpose agent. Since it is based on the host, it avoids the problem network-based systems face of encrypted network segments.
Different manufacturers have taken different approaches to detect and prevent attacks, although more and more systems use a hybrid approach:
IPSs that use signatures rely on researchers having developed profiles of attacks that detail the behaviour expected in an attack. These systems require frequent updating. There is also the potential for the system to be too generic and not fit the network it is monitoring unless the organisation is able to add its own signatures. However, there are certain kinds of attack that can only be spotted reliably using signatures.
Rather than give the system a list of all known attacks and setting it to prevent them, IDS systems that ‘learn' are given the chance to observe network traffic for a period of time. They then know what traffic is allowed and then block any traffic that is unusual for the network. Learning systems can be far more attuned to the requirements of specific network segments than signature-based systems. However, they require a long period of time to set up and will need retraining when significant changes are made to the network. There is also a risk of training learning systems to accept bad behaviour if the network is already under attack.
Predominantly the method used by Axceo, these systems present fake services to potential hackers. If the hacker tries to access the services, the system is able to block future activity from the hacker from reaching the true services. Not a substitute for other services, it nevertheless can block a substantial amount of malicious activity.
Case Study: Task Force
Task Force is a medium-sized logistics company based in Essex, with offices around the country.
It has various systems installed in these offices, including Linux servers and Exchange servers, and uses a bespoke management application for its fleet and a Windows server for file and terminal services. Three years ago, IT manager George Nursey decided to buy software licences from Astaro for its then PC-based security system. He has upgraded each site to an Astaro ASG appliance over a six-month period, with the final box being put in place in June.
“We used to have a Netgear firewall, which was about as useful as a chocolate fireguard,” says Nursey. “We're 24 hours, six days a week and we can little afford any downtime. We felt we needed a little bit extra.” The upgrade to the Astaro system, which provides a management layer over a suite of open-source security packages, was initially motivated by the need for easier management and better protection. “It sits in the background and is very good and secure. I have Astaro boxes at four sites. You don't have to touch them very often. That's the reliability I'm looking for on a 24/7 basis.”
The Astaro software did not include the optional intrusion-detection module, however. But six months ago, Nursey decided to invest in the module for all Task Force's sites. “It's pure paranoia from a security point of view. Just like any business, we have business-critical systems and lot of them these days are web-facing. We want something that is as secure as we feel comfortable with.”
The Astaro module was recommended by one of Task Force's IT consultants, but the decision to buy was based on a range of criteria. “It was a standard business case,” says Nursey. “A balance of costs. In the transport industry, we can't afford top notch – we have to manage within our budget.”
Nevertheless, Nursey says he's “incredibly impressed” by the Astaro IDS. “It took only half a day to set up. Now we just get reporting emails and an executive report at the end of the week. It's pretty maintenance free – as it possibly can be.”
Nursey says that although management of the Astaro packages is easy in general, he doesn't have the time to manage the IDS, so he relies on his consultant to manage it, all of which he does remotely from Newcastle. “If there's anything I need to do, he lets me know.”
So far, he says he's impressed with IDS, which has been able to block various attacks. “We have had a couple of denial-of-service attempts. On a daily basis, I get reports from the IDS saying whether it's detected low-, medium- or high-grade attacks. Often, we do get high-grade attacks. To be honest, we haven't had a single problem since we've had the Astaro put in.”