Intrusion Prevention Systems in the spotlight

Intrusion Prevention Systems (IPS) are starting to attract the interest of IT managers at all levels, largely thanks to their innate ability to enforce company security policies and, of course, help stop attacks on an organization’s IT resources in real time. But how do they compare to Intrusion Detection Systems (IDS) and are they effective?

To the casual observer, intrusion prevention and intrusion detection systems look quite alike. Both IT security systems examine traffic flowing in and out of a network, essentially looking for things that don’t belong.

Steve Gold explains the pros and cons of IPS and IDS, and explains the advantages that IPS can bring to your company…

Unknown to most people outside of the IT security industry, however, there are now significant differences between IPS and IDS technologies.

These differences are now persuading IT managers to look seriously at installing IPS on their company networks, where previously they had total faith in IDS technology.

So what is an IDS?

At its most basic, an IDS examines packets, gathers information, logs that data and alerts the appropriate manager if it thinks something bad is happening.

It’s then down to the manager to decide what action to take, since the IDS does not make decisions about blocking traffic. A good IDS can also provide a wealth of data on network activity for later security audit and/or forensic analysis.

An IPS, meanwhile, not only examines network traffic, but also can also automatically block traffic it thinks is inappropriate or malicious.

This takes a real-time burden off the manager's shoulders, although it is worth noting that some IT managers are less than happy with turning over part of their job function to a machine.

One of the criticisms of IPS in the past has been that, because the system had to make go/no-go decisions on data traffic on-the-fly (i.e. in real time), the technology was not capable of examining IP traffic as closely as an IDS, or log that data in detail for later analysis.

Modern IPS technology solves this problem by throwing the twin attributes of sheer processing power and good programming into the mix.

With a good IPS platform installed on their IT resource, managers can be confident that legitimate traffic is not being blocked or impeded, whilst any untoward network traffic is blocked in real time, and the appropriate logs created.

IPS and Regulatory Compliance

This is good news for companies seeking regulatory compliance – as required by, for example, the Sarbanes-Oxley Act in the US, and the Companies Act 2006 in the UK, the provisions of which are being progressively phased in between now and late 2008.

In addition to these regulatory requirements, those major companies allowing customers to pay using credit or debit cards must now achieve – or be seen to working towards achieving – PCI-DSS compliance.

PCI-DSS stands for the Payment Card Industry Data Security Standard, a set of guidelines and best practice rules developed by the major card companies to help payment processing organizations prevent most types of fraud and similar revenue-reducing interactions.

Under PCI-DSS rules currently being implemented by the major card issuers, any company processing, storing, or transmitting credit card numbers must be PCI-DSS compliant within certain timescales or they risk losing the ability to process card transactions.

As you might expect, given the revenue consequences of losing the ability to process card payments – even for a short time whilst PCI-DSS standards are verified by a third-party QSA (Qualified Security Assessor) company – the issue of compliance has become a major issue for many companies.

Installing a good IPS platform is a central plank to obtaining PCI-DSS compliance. It is not the only requirement, but installing a reliable IPS means that a company seeking PCI-DSS compliance is well on its way to achieving approval from a QSA in this regard.

Characteristics of a True IPS

As with most matters in the world of IT, not all IPS platforms are created equal, as some systems are smarter and more powerful than others.

On top of this, the more advanced IPS offerings are now able to handle very high data throughput, largely thanks to the fact they have been designed to operate interactively and on an in-band basis - i.e. inside the main data flow, rather than passively monitoring the communications flow, as is normally the case with IDS technology.

To operate effectively in this high-speed environment, a good IPS needs to be highly reliable under maximum load conditions, with sophisticated recovery mechanisms – e.g. dual power supplies, inherent high availability technology, fail to wire etc – and generate no false positive responses to any data flowing through its conduits.

Deriving the information

Thanks to the development of advanced GUI (graphical user interface) technology in recent times – driven in part by the evolution of various platform operating systems – managers are now able to derive a lot more information from their IPS platforms than they were just a few years ago.

Coupled with effective drill-down options in the management dashboard – aka as the console - of the IPS, they are now able to make informed decisions on how to customize an IPS to handle most situations in real time, rather than relying wholly on pre-programmed settings which can result in false-positives being applied to a small number of otherwise legitimate IP transactions.

Until a few years ago, most vendors were busy promoting IDS-based IT security as the best method of protecting a company’s IT resource, mainly because of the processor and data throughput limitations of server and allied data backplane technologies.

The last few years, however, have seen several vendors develop an almost modular approach to IPS, even to the extent of using a virtual server approach to the issue of multiple operating systems and multiple IT security applications running on the same rack system.

This trend, though reliant on the tremendous strides that have been made – and continue to be made – in processing and allied IT systems power, has allowed a number of vendors to develop real-time IPS platforms that can cope with telco and even Internet service provider levels of IP traffic, all without dropping a byte of data on any channel.

The importance of real time detection and intervention of attacks on a company’s IT resource cannot be overstated. Just as companies of all sizes have embraced the communications and high levels of interaction that the Internet offers them, so have the criminal and hacking fraternity.

Just a few years ago, it was possible for IT security technology vendors and their customers to rely on a window of several days existing between a flaw being found in an operating system or software application and that flaw being exploited by a hacker in the latest malware attack.

That window used to allow vendors the time required to develop operating system and/or software updates/patches and distribute them to their customers.

Not any more. The incidence of so-called zero-day attacks is rising, with hackers launching multi-vector attacks within a matter of hours of the security flaws being discovered by their peers, who may be on the other side of the world.

Because of this trend towards faster and faster exploits of security flaws, there are clear advantages of using an IPS over an IDS platform to protect a company IT system.

Rather than rely on an IT manager or member of staff responding quickly to an IDS report of a potentially serious attack, the IPS can make a decision on whether to allow or disallow an IP transaction in real time.

TippingPoint's IPS platform is built around the company's TSE – Threat Suppression Engine - a highly specialized hardware-based system, which uses state-of-the-art network processor technology working in tandem with a range of custom ASICs (Application Specific Integrated Circuits).

Using this parallel processing approach to IPS means that the TSE can perform thousands of checks on each packet flow simultaneously and handle data throughputs as high as 20 gigabits per second with packet latencies of less than 84 microseconds.

For the technically minded, the TippingPoint TSE architecture enables traffic classification and rate shaping - sophisticated algorithms baseline ’normal' traffic flow, allowing for automatic thresholds and throttling so that mission critical applications are given a higher priority on the network.

Despite this apparently complex architecture, the TippingPoint IPS systems – which can support the smallest to the largest business – are supplied on a pre-configured basis to the customer, meaning they effectively work on an out-of-the-box basis.

Each IPS also comes with its own set of customizable filters, allowing the IT manager or relevant member of staff can adapt the settings of the IPS to meet their own unique needs.

Supporting the TSE architecture is a Digital Vaccine® system developed by the company's DVLabs security research team.

The Digital Vaccine technology allows real-time updates to be delivered to each TippingPoint customer installation, allowing the IPS platform to preemptively protect against exploits involving new and zero-day vulnerability attacks.

Digital Vaccine updates are automatically twice a week, or immediately following when critical vulnerabilities and threats emerge.

It is advanced technology like this that have persuaded the IT managers of more than 3,000 enterprises around the world to install TippingPoint’s IPS platform on their networks and so enjoy the benefits of 900-plus in-band filters and packet latencies of under 100 mics.

Conclusions and recommendations

Does the fact that IPS technologies have developed to such an advanced stage make IDS platforms obsolete?

Not necessarily, as it is important to understand that the days of relying on a single IT security platform to defend against all manner of electronic threats against an organization’s systems are now long gone.

Most companies now defend their IT resource using several security products, often from different vendors, but with the important proviso that the products can interact well and be controlled by a single application, usually known as a security console or dashboard application.

The use of a console or dashboard application requires that the underlying IT security systems and software have an effective API with each other, which means that the intelligent IT manager should ask their vendors the degree and flexibility of interaction that their respective IT security product has with third party systems.

This question is in addition, of course, to the power, features and overall capabilities that a supplier’s IPS or IDS platform has - as with most matters on the technology front, there is only so much that the specifications sheet on a given product can tell the prospective customer.

It’s worth noting that the results of this question are usually quite revealing and allow even the most hard-pressed IT manager to make an informed decision as which IPS architecture – if any – they need to add to their systems.