Barbarians at the gate

Fear unites us. We used to be afraid of network problems, such as bandwidth and broken switches. Now we're afraid of the bad guys.

Our networks must be connected to the Internet, yet the Internet is a cesspool of attackers constantly hammering on our defences, looking for that chink in the armour. It's not just the Internet: we fear our own users, lest their indispensable laptops acquire some vagrant affliction while driving by a Starbucks Wi-Fi hot spot.

To assuage our fear, we need tools. There are those who want to sell all manner of software for PCs: personal firewalls, security checkers, virtual desktops, and NAC and NAP and TAP and other acronyms not yet invented.

Network managers know that these are not the answer: The network must defend itself. Cisco's advertising slogan is not so stupid after all. And what better technology than an intrusion-prevention system (IPS)? Something you plug into the network itself, and it inspects packets and blocks the bad ones.

Every network needs IPS technology. All networks have firewalls, a basic protective technology. But the firewall is a mute guardian, seldom touched and rarely examined. It blocks all but a few connections that have been predefined as acceptable. Firewalls need to be updated with current software, but that happens twice yearly at most.

An IPS is just the opposite: It is an active participant in protecting the network. By examining traffic that firewalls pass, the IPS asks a second question: "Is there a reason to drop this packet?" As attackers press through legitimate openings in the firewall, and as internal infections reach out to the Internet to spread further, the IPS represents a line of defence that the firewall does not pretend to offer.

There are some networks for which an IPS offers no benefit. If all your application and network servers are invulnerable to malicious data, and if all the systems inside your network are invulnerable to viruses, worms and Trojan horses, you can live without one. But for the rest of the networks in the world, IPS technology brings some real value.

When considering how to incorporate an IPS into your network, the most important thing is to understand that IPS is a technology, not a product. This means that although you can easily buy a stand-alone box that sits somewhere in your network, that's not the only way - and may not even be the preferable way - to get the benefits of an IPS.

In 2006, we will see IPS technology continue to be married directly to network-infrastructure components, specifically firewalls and switches. Well-known names in security and switching, including Check Point, Cisco, and Juniper, are all offering integrated devices, and the list of start-ups pushing into the integrated-device space gets longer every week. This is a clear trend; for many general-purpose networks, it's the right way to add IPS to an existing network.

IPSs have been promising to protect networks for years, but are now finally able to make good on that promise. Initially, IPSs were too slow and too inaccurate to do much good, but recent testing has shown that the combination of rate-based, signature-based and anomaly-based techniques that are showing up in commercial products can add security to small and large networks.

First-generation IPSs were little more than intrusion-detection systems (IDS) with poor blocking capabilities. As IPS products have started to find their way into networks, vendors have been working on the triple bogies of accuracy, performance and management. These are the three issues to keep in mind as you investigate deploying IPS in 2006.

Although everyone wants to trumpet the fastest IPS on the market, the reality for most is that gigabit IPS is not a requirement. If the most logical place for IPS is toward the Internet side of the network, speeds of 200 Mbps will suffice for all but the most demanding environments. Nevertheless, performance is not to be taken lightly.

Unlike switching infrastructure, where determining worst-case performance is a fairly simple task, testing and measuring IPS performance is as much guesswork as it is objective results. This means that as you engineer IPS into existing networks, you must be extraordinarily conservative about performance.

IPS performance is difficult to specify because it is difficult to predict. IPSs look at the data that flows through them, which means that two different data streams will run at different speeds - and some as-yet-undiscovered stream might bring your IPS to its knees. With so many IPS products built on the Snort open source core, this is not idle speculation. The black-hat hacker who can discover a way to make every Snort-based box in the world go computable will certainly get his 15 minutes of fame.

The weakest part of most IPS deployments is their management. Unlike many other network elements, IPS is a never-ending management task. Part of the reason is the uses of IPS: not just protection of the network, but security forensics, worm and virus tracking, and even employee monitoring. A few IPS products and deployments have little need for continuous management and monitoring. Depending on your security policy and management style, you may touch the console only as often as you change your firewall rules.

But most IPS deployments, especially on stand-alone devices, do double duty as IDSs, and all of those must deal with security logorrhea. Here management is a vital part of the entire system. Unless your traffic and policies never vary, you will have a continual (hopefully low-volume) stream of false positives to deal with.

Because IPSs also often function as security-analysis and forensics tools, it's critical that the management system be able to support those functions as well. When you select an IPS technology, evaluating its management system and its match to your expected usage is just as important as gauging its performance and accuracy.