• PC World
• Business Center
• Networking
• Network Management
• Buying Guides

Network IPS grows up from its IDS roots

Questions about performance, latency and availability still loom

The evolution of security products goes something like this: First came the firewall, followed by antivirus protection, followed by intrusion-detection systems, which generated quite a bit of hype until 2003 when a Gartner Group analyst declared that IDS would be dead in a couple of years.

The problem with IDSs was that they successfully detected malicious behavior but had two flaws: First, they didn't actually stop an attack, they just told you about it. Second, they were plagued with false positives, which seriously undermined their usefulness. (Picture a smoke alarm in your house that goes off every time you light the stove.)

Along came network intrusion-protection systems, which attempted to address both problems. IPSs were designed to not only identify attacks but also block them by dropping packets that were deemed suspicious. And they were designed to be more effective at discerning between true attacks and false alarms.

The first generation of IPS was based on signature detection. Vendors used honeypots to gather malicious code. They analyzed it and they created signatures for each virus, worm or other type of malware. Vendors then sent updates to the IPS devices to reflect the new signatures.

Signature detection works fine if the attack that's coming into the network has already been identified and there is already a signature for it and that particular IPS has been updated. However, signature-based IPS doesn't stop distributed denial-of-service (DoS) attacks, in which an attacker floods Web servers with legitimate traffic, causing them to crash.

Vendors responded by adding a rate-limiting feature to their IPSs. With a rate-based IPS, customers could set limits to the amount of traffic the network could accept. In the event of a distributed DoS attack, the IPS simply throttles back the amount of incoming traffic and thwarts the attack.

Of course, that still left the problem of what to do about zero-day attacks or attacks for which there is no signature. The answer to that is IPSs based on identifying suspicious behavior on the network.

These behavior-based IPS devices are designed to build a map of the network and the devices on the network, then use sets of rules to dynamically block attacks. The advantage of behavior-based IPS devices is that they can react more quickly to unknown attacks.

Most vendors today offer IPSs that combine all three types of prevention.

The way an IPS works is that it sits inline and performs deep-packet inspection and analysis at wire speed, blocking bad traffic and letting good traffic through. If this sounds too good to be true, it just might be.

Although IPSs are constantly improving, they are still a long way from perfect.

As with any type of security device that inspects packets, there are always concerns in terms of performance, latency and availability. After all, we're talking about devices that open up every packet and conduct a deep inspection, all the way to the application layer, before making a decision on whether to drop the packet or let it through.

Vendors may claim that the devices can inspect and move traffic at wire speed, but customers would be well advised to test out those claims on their own, particularly traffic flows. Latency is another issue, especially for VoIP or video traffic.

Then there are a variety of deployment options. IPSs are typically deployed in an inline stealth mode, which has the advantage of not having an IP address, which means it's not visible to the bad guys. An IPS can also be deployed as an inline gateway, almost like a Layer 3 router with an IP address assigned to each port. This gives network managers more control over how traffic is routed.

When it comes to enterprise-level IPSs, there are several usability issues that need to be addressed. First, configuration of IPS systems is not easy. Second, there are different alerting options to be considered. There are also monitoring, forensic and reporting features that must be looked at.

There are also two high-availability options ? active/active mode, which gives you the benefit of the processing power of two IPSs; or active/standby, in which one IPS is handling all the traffic, and the second is standing by in case the first one fails.

But just as the stand-alone IDS was superseded by the IPS, these days the experts are predicting that the stand-alone network IPS will eventually be incorporated into an all-encompassing security device.

This new device, which some are calling the next-generation firewall and others are dubbing unified threat management (UTM), will combine firewall, VPN, antivirus, IPS and content filtering in a single box.

However, these UTM devices are currently more popular in small and midsize businesses, where the technical expertise to run multiple security devices may be limited. For large companies, dedicated network IPS is still the way to go.