February 2006

Choosing the Right Intrusion Prevention System

Intrusion prevention systems are helping organizations prevent external attacks and decrease IT security costs. However, choosing the right system is a must for organizations, as they continue to struggle through more sophisticated network attacks and vulnerabilities.

Jon Oltsik
Senior Analyst
Enterprise Strategy Group

For many organizations, modern networking is a challenging process: As the network becomes more essential for business operations, users can expose organizations to dangerous security risks and threats. Although perimeter firewalls do a good job of thwarting external attacks, additional security measures may be needed to protect networks from hacking attempts and other threats. For example, according to research conducted in 2005 by IT analyst firm Enterprise Strategy Group (ESG), 66 percent of organizations surveyed said they were impacted by an automated Internet worm in the previous 12 months, and more than half were attacked more than twice. Of the 251 North American companies that participated in the survey, 96 percent claimed they had a firewall in place.

To protect computer networks from external attacks more effectively, many IT departments use intrusion prevention systems (IPSs) — software programs that detect suspicious network behavior. During the control assessment process, IT auditors may work with security professionals when identifying ways to help organizations enhance internal network security. As a result, auditors need to familiarize themselves with the benefits offered by IPS systems and the factors companies need to keep in mind before investing in intrusion prevention technology.

THE CURRENT STATE OF NETWORK SECURITY AND IPSs

The Internet has changed the way many organizations view network security. Although Internet-based applications and communications have helped organizations boost revenue, streamline processes, and manage costs, Internet use has opened the door to hackers and malicious codes attacks. Similarly, telecommuting has increased the risk of Internet-based security breaches, thus impacting corporate network security efforts. For example, employees working from home or another remote location may not have the latest antivirus software definitions installed on their desktops or laptops. Therefore, when the employee's laptop becomes infected with a worm, the laptop can easily infect other computers once it reconnects to the network. Furthermore, Internet-based attacks can reduce work productivity. When a worm or Trojan infiltrates a corporate network, security staff may take critical business systems offline — sometimes for extended periods of time — preventing employees from accessing needed systems and applications.

To minimize network security risks, many companies are using IPS applications that sit on the network, examine traffic, and block malicious or suspect code. Some security experts consider IPS technology to be an extension of intrusion detection systems — software or hardware that detect and log inappropriate, incorrect, or anomalous activity. However, IPS programs go one step further by preventing potentially malicious activity at the host level and making access control decisions based on an application's content, rather than an Internet protocol address or port. IPS programs are also more effective, automated, and efficient than other security solutions: If configured correctly, they can eliminate the need for, and high cost of, emergency system patching by blocking specific exploits.

ACQUIRING AN IPS: WHAT TO LOOK FOR

Most network and security vendors offer a variety of IPS software solutions. As a result, choosing the right IPS software can become a daunting task. To help organizations choose the right IPS software program, auditors may recommend that organizations invest in a solution that:

1.  Installs with ease. Global business operations and Internet connectivity demand year-round network availability. Therefore, few companies will be willing to take the network offline for a painful IPS implementation. To support and protect "round-the-clock" business requirements, IPS devices must be easy to install, remain transparent to normal network traffic, and provide immediate protection against malicious code propagation, denial-of-service attacks, and hacking exploits.
2. Provides flexible configurations for different networking needs. Every IT department will have different requirements for adding an internal security device. Some will want the device to remain passive, while others will want maximum protection immediately. The IPS must have the ability to be configured for specific protection needs so users can choose the configuration that best meets business security demands.
3. Protects against a wide range of attacks. Because IPS devices monitor Internet protocol packets, they should have the ability to block different attacks over time. At a minimum, an IPS must provide protection against protocol anomalies; known attacks, such as probes, scans, and backdoors; malicious code, including worms, viruses, and Trojans; peer-to-peer traffic; and denial-of-service attacks. Advanced IPS applications also must be able to enforce compliance with network flow policies and watch for suspicious tunneling using Internet protocol version 6, also known as IPv6 tunneling. Finally, to protect against zero-day and customized attacks, IPS devices must use a combination of signatures and behavioral heuristics to detect security threats.
4. Offers a range of performance options. Years ago, many companies connected to the Internet with minimal performance requirements, ranging from 1.5 to 45 megabytes per second. However, as intrusion prevention becomes an enterprise network service, IPS devices must support larger bandwidth requirements, ranging from 100 megabyte local area networks to 1 gigabyte wide area networks. IT departments must also have ample choices in terms of port density, so they can match security protection with network configurations and budget restrictions.
5. Meets enterprise architecture and management needs. A companywide IPS requires dozens of geographically distributed devices. IT security managers must have the ability to deploy, configure, and administer these systems through centralized management and policy tools. In addition, the IPS application must have a centralized functionality that includes detailed reporting and audit capabilities, so organizations can monitor events and controls that support regulatory compliance requirements. 

Once an IPS system is purchased and installed, auditors need to review the system's configuration controls. First, auditors need to determine that only authorized employees have administrative access rights to the system and that their access capabilities are independent from operational responsibilities. Second, IT auditors need to assess the rationale for configuration changes that alter the IPS's activities or functionality. For example, is the system blocking attacks in a way that protects the entire network or just certain network segments? Finally, auditors should review IPS log files to understand their role in overall security. When combined with log files from firewalls, networking equipment, servers, and applications, IPS logs can help to provide a more comprehensive picture of normal — versus anomalous — network use patterns.

BEYOND IPS

Although networkwide IPS devices enhance perimeter protection, they only provide one security layer. Given today's business requirements and threat landscape, auditors can help organizations establish a comprehensive threat management security infrastructure that improves the effectiveness of IPS programs and other security tools, such as firewalls and antivirus software, through better integration. This comprehensive threat management security infrastructure should include:

• Regular risk assessments. As the business saying goes, "You can't manage what you don't measure." This is especially true in IT security, where a new application or system configuration change can turn a secure enterprise into melted cheese. To alleviate this risk, companies should conduct risk assessments, gap analyses, and network scans on a regular basis and implement stop-gap controls immediately. Companies also should consider automating these processes so risks and internal control gaps are discovered in real-time.
• Deep security intelligence. Strong security is more than just detecting and preventing attacks. In an ever-changing threat landscape, security groups must anticipate the attack vectors that could impact their IT assets, employees, or business processes. To stay ahead of criminal or unauthorized activity, security defenses should gather ongoing intelligence about malicious Internet activities, geographic events, and targeted industry attacks, as well as distribute this information to the appropriate personnel.
• Specific application safeguards. Although protecting the network is critical, many of today's attacks are directed at business systems such as e-mail and Web-based applications, where a system breach could cripple communications, impact revenue, or lead to the theft of confidential data. To assuage this risk, companies must put explicit application safeguards in place, such as application-layer gateways and tight access controls.
• Desktop protection. In the escalating war between the security industry and black hat community, one constant remains: Infected PCs often help to propagate malicious code. To address this threat, companies need to implement desktop security software, stay current with software signatures, and scan machines regularly to check for malicious code. Organizations should enforce this behavior by implementing end-point integrity solutions that inspect PC configurations and hard drive statuses before allowing access to the corporate network.
• Management integration. To protect critical business processes, information security technologies must evolve from independent pieces to an integrated architecture. This will require messaging communications, event correlation, policy management, and centralized reporting. The ultimate goal should be an integrated security architecture that maximizes protection, automates processes, and lowers costs.

A comprehensive security model that incorporates the guidelines above will help companies maximize the use of IPS programs and protect critical assets — from desktops to data centers — while minimizing business risks.

ENDING THOUGHTS

In addition to perimeter firewalls, IPS technology has become a proven line of defense for networks. For many organizations, it is no longer a case of whether or not they will implement an IPS; it is a question of when they will deploy it and how many systems they will need. However, like any applications on the corporate network, IPS technology must be reliable, scaleable, and manageable. Furthermore, it is important to look at intrusion prevention as a virtual network service rather than a stand-alone security device. In this context, IPS programs must fit seamlessly into existing networks, offer advanced protection, provide flexible configuration options, and aggregate into an enterprise-class architecture. Following the recommendations above will not only help organizations implement a layered security infrastructure that incorporates effective IPS technology, but will help IT auditors keep abreast of network security tools that meet corporate needs and stay ahead of external threats.

Jon Oltsik is a senior analyst at Enterprise Strategy Group (ESG) and has expertise in security management and technology. Prior to joining ESG, Oltsik was the founder and principal of Hype-Free Consulting and served as vice president of marketing and strategy at GiantLoop Network. Oltsik was also a senior analyst at Forrester Research, where he conducted studies on different infrastructure and IT topics.