|
Intrusion Prevention Systems (IPS) are rapidly becoming an integral part of an effective network defense solution. Unfortunately, finding the truth in today's often over-hyped market of network-based IPS offerings is no easy task. As the technologies behind IPS become increasingly complex, so does determining which IPS solutions can actually deliver preemptive protection, a new standard in security that stops attacks before they impact the network.
Before attempting to analyze any vendor's IPS offering, it is important to understand that network security is not an absolute. The network security landscape has become cluttered with buzz-word technologies, snake oil solutions and panaceas all advertising complete protection. Often, vendors making these claims do not account for the dynamic nature of online threats, resulting in solutions that are only effective against a small subset of threats in the wild. It is important to recognize that no singular IPS technique provides adequate protection against all known and unknown network security threats. Like traditional physical security, every unique Internet threat may require a new approach to best detect and neutralize it before it causes damage.
So how can you determine which IPS will deliver accurate, preemptive protection against the next Internet threat? The rules of preemptive protection are clear. Network IPS products that block attacks before impact must offer optimum performance, provide the highest level of protection, and rely on a solid foundation of research covering both threats and vulnerabilities.
As illustrated in Figure 1, an IPS must have superior characteristics in the following three areas to enable preemptive protection:
l Performance - The ability to perform transparently in the network environment while also supporting the other critical areas of preemptive protection.
l Protection - The ability to provide a high level of protection requires many protocol identification and analysis techniques to ensure optimum accuracy.
l Research - Powerful intrusion prevention is based on up-to-the-second security intelligence that keeps pace with the changing threat landscape. This requires an in-house research team that fully understands network security threats and vulnerabilities, and injects that knowledge into the product as threats adapt and before they impact business.
Now that the three rules of preemptive protection are defined: performance, protection and research, evaluating the efficacy of an IPS offering becomes much easier.
Performance
The first rule of preemptive protection from an Intrusion Prevention System is performance. IPS performance should be ideally matched to the environment being protected. Several sub-categories outlined below contribute to the overall performance of an IPS.
In-line Operation
An effective IPS must operate transparently in-line on the network. Transparent in-line operation results in minimal impact to information technology (IT) infrastructure.
Reliability
Intrusion prevention is usually applied at critical network infrastructure points. Therefore, IPS failures have the potential to cause system outages. With crucial information and systems on the line, IPS solutions must be highly reliable with a long Mean Time Between Failure (MTBF).
Availability
At a minimum, network IPS must not interfere with traffic should it malfunction or go into an offline state. To avoid this outcome, network IPS devices should fail open, regardless of network media.
Low Latency
Network-based IPS devices must introduce a minimal amount of latency to network traffic. Low latency is often the most critical performance factor for network IPS.
Example: Business critical Voice over IP (VoIP) applications begin to degrade noticeably at approximately 1,500 microseconds1. An in-line IPS must not introduce significant latency to affect the business continuity of such an application while at the same time providing 100 percent intrusion prevention coverage.
High Performance
A network-based IPS must exhibit many of the performance characteristics of switching and routing equipment, while simultaneously blocking threats to the network and the devices connected to it.
Example: Line-speed refers to the ability of a device to process packets at the maximum speed-rating of the network. The IPS must process traffic at line-speed to avoid ?bottlenecks? that might open the door to a denial of service (DOS) condition should the traffic overload the device.
Scalability
At the network level, IPS devices must scale to a large number of user sessions and transactions without disrupting business continuity.
IPS performance requirements and characteristics differ slightly depending on whether intrusion prevention is deployed on the network or within host-based systems like servers and desktops.
|
