Adoption of IPS increasing, cautiously

Blocking attacks with intrusion-prevention systems rather than simply monitoring for them with intrusion-detection systems is slowly gaining ground inside corporations and government agencies, despite worries about disrupting legitimate traffic.

But many organizations often don't use the full blocking capability of these products, whether installing them in a firewall-based Internet zone or deep inside a corporate LAN. To gain confidence that blocking won't backfire on them with false positives, organizations are using IPS in what's called mixed or bridge mode. This lets them stymie a portion of attack traffic, such as computer worms, but otherwise lets the IPS work like an in-line IDS.

"Don't switch to the blocking in the IPS until you really need it, say, to block worms like SQL Slammer," advises Lloyd Hession, chief security officer for Radianz, whose global network connects about 5,000 financial firms around the world. "These devices become a lightning rod inside an organization, and it's typical to blame the IPS for any problem."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Blocking attacks with intrusion-prevention systems rather than simply monitoring for them with intrusion-detection systems is slowly gaining ground inside corporations and government agencies, despite worries about disrupting legitimate traffic.

But many organizations often don't use the full blocking capability of these products, whether installing them in a firewall-based Internet zone or deep inside a corporate LAN. To gain confidence that blocking won't backfire on them with false positives, organizations are using IPS in what's called mixed or bridge mode. This lets them stymie a portion of attack traffic, such as computer worms, but otherwise lets the IPS work like an in-line IDS.

"Don't switch to the blocking in the IPS until you really need it, say, to block worms like SQL Slammer," advises Lloyd Hession, chief security officer for Radianz, whose global network connects about 5,000 financial firms around the world. "These devices become a lightning rod inside an organization, and it's typical to blame the IPS for any problem."

Radianz has used an IPS inside its network for more than three years, in this case a software-based product called Guard made by Internet Security Systems (ISS). Hession says he's migrating from the Guard equipment to the ISS Proventia G200 appliance, scheduled to ship next week. Unlike Guard, the 200M bit/sec Proventia G200 can work in mixed mode, simultaneously blocking and monitoring. It also can be set up as a passive IDS.

Out of the box, the $12,000 Proventia G200 is set to ban 100 threats, such as worms, peer-to-peer traffic, Trojans and instant messaging. But it also can be set up for in-line simulation, reporting on what it would have blocked if it had been allowed.

Products abound

There is a hodgepodge of blocking-capable products - some are more network-based, such as those from Captus Networks, ForeScout Technologies, ISS, NetScreen Technologies, Network Associates, Top Layer Networks and TippingPoint Technologies. Others are more application-layer, such as those from Cisco, KaVaDo, NetContinuum, Sana Security, Sanctum and Teros. Check Point is adapting its firewall to behave more like an IPS.

In a broad sense, they all face an uphill battle for acceptance, just as the firewall did a decade ago when it was decried as a hindrance to network traffic and application access.

"For those using IPS, by the time they've mastered the subject of blocking, they're being blamed for everything," says John Dias, security analyst at Lawrence Livermore National Laboratory in Livermore, Calif., which is testing the NetContinuum appliance for use in a future Department of Energy portal based on Web services and Oracle applications.