Defining the Rules of Preemptive Protection: The ISS Intrusion Prevention System

Defining the Rules of Preemptive Protection:
The ISS Intrusion Prevention System
By Chris Simmons and Freddy Mangum
Copyright© 2004 Internet Security Systems, Inc. All rights reserved worldwide
Ahead of the threat.DEFINING THE RULES OF PREEMPTIVE PROTECTION: w w w. i s s . n e tTHE ISS INTRUSION PREVENTION SYSTEM
Introduction
Intrusion Prevention Systems (IPS) are rapidly becoming an integral part of an effective network defense solution. Unfortunately, finding the truth in today's often over-hyped market of network-based IPS offerings is no easy task. As the technologies behind IPS become increasingly complex, so does determining which IPS solutionscan actually deliver preemptive protection, a new standard in security that stops attacks before they impact the network.
Before attempting to analyze any vendor's IPS offering, it is important to understand that network security is not an absolute. The network security landscape has becomecluttered with buzz-word technologies, snake oil solutions and panaceas all advertising complete protection. Often, vendors making these claims do not account for thedynamic nature of online threats, resulting in solutions that are only effective against a small subset of threats in the wild. It is important to recognize that no singularIPS technique provides adequate protection against all known and unknown network security threats. Like traditional physical security, every unique Internet threat mayrequire a new approach to best detect and neutralize it before it causes damage.
So how can you determine which IPS will deliver accurate, preemptive protection against the next Internet threat? The rules of preemptive protection are clear. NetworkIPS products that block attacks before impact must offer optimum performance, provide the highest level of protection, and rely on a solid foundation of research coveringboth threats and vulnerabilities.
Figure 1: Preemptive Protection Requirements
As illustrated in Figure 1, an IPS must have superior characteristics in the following three areas to enable preemptive protection:
lPerformance - The ability to perform transparently in the network environment while also supporting the other critical areas of preemptive protection.
lProtection - The ability to provide a high level of protection requires many protocol identification and analysis techniques to ensure optimum accuracy.
lResearch - Powerful intrusion prevention is based on up-to-the-second security intelligence that keeps pace with the changing threat landscape. This requires an in-house research team that fully understands network security threats and vulnerabilities, and injects that knowledge into the product as threats adapt and before they impact business.
Now that the three rules of preemptive protection are defined: performance, protection and research, evaluating the efficacy of an IPS offering becomes much easier.
Ahead of the threat.Defining the Rules for Preemptive Protection: The ISS Intrusion Prevention System An ISS Whitepaper 2
Performance
The first rule of preemptive protection from an Intrusion Prevention System is performance. IPS performance should be ideally matched to the environment beingprotected. Several sub-categories outlined below contribute to the overall performance of an IPS.
Figure 2: Performance Requirements
In-line OperationAn effective IPS must operate transparently in-line on the network. Transparent in-line operation results in minimal impact to information technology (IT) infrastructure.
ReliabilityIntrusion prevention is usually applied at critical network infrastructure points. Therefore, IPS failures have the potential to cause system outages. With crucial informationand systems on the line, IPS solutions must be highly reliable with a long Mean Time Between Failure (MTBF).
AvailabilityAt a minimum, network IPS must not interfere with traffic should it malfunction or go into an offline state. To avoid this outcome, network IPS devices should fail open,regardless of network media.
Low LatencyNetwork-based IPS devices must introduce a minimal amount of latency to network traffic. Low latency is often the most critical performance factor for network IPS.1Example: Business critical Voice over IP (VoIP) applications begin to degrade noticeably at approximately 1,500 microseconds . An in-line IPS m... [download for more]