Intrusion-prevention systems still not used full throttle: survey

Network-based intrusion-prevention systems are in-line devices intended to detect and block a wide variety of attacks, but the equipment still is often used more like an intrusion-detection system to passively monitor traffic, new research shows.

Infonetics Research interviewed 169 security professionals responsible for managing IPS in their organizations to find out whether the full functionality of the IPS filters for blocking attacks was actually used, and the reasons why if not. The study, commissioned by IPS vendor TippingPoint, included its product, as well as those from Cisco, IBM, McAfee and Sourcefire.

“People are still very cautious with IPS,” says Jeff Wilson, principle analyst for network security at Infonetics. “My main impression is we are still not in an all-IPS world, as much as everyone would like to pretend we are.”

Cisco is the dominant vendor in IPS, and the survey reflected that, with 77 Cisco IPS customers, along with 38 TippingPoint customers, 36 IBM ISS Proventia customers, 26 McAfee IPS customers and 15 Sourcefire IPS customers -- which all offered detailed descriptions of how they use IPS in their companies. The average size of each company was 9,418 employees.

The first step in IPS is typically the decision to use it in-band or not, and Infonetics found that 91% of TippingPoint customers did so, along with 70% of Cisco customers, 67% of IBM and McAfee customers and about 55% of Sourcefire customers.

Reasons cited for not wanting to run IPS in-band were reliability, throughput, traffic latency and false positives.

For those using IPS in-band, the next step is deciding how many of the device’s available filters to activate in order to block different types of attack traffic. The survey found those using IPS in-line often didn’t apply all the filters in blocking mode, but sometimes simply in alert mode. IPS filters to block were applied far more in TippingPoint and IBM equipment, but much less often in Sourcefire In IBM, Cisco and McAfee equipment, blocking and alert-only were activated about half-and-half in a mixed mode.

According to the survey, filter updates offered by vendors are applied 40% to 74% of the time, depending on the product..
As to why customers may be reluctant to apply new filters, independent analyst Richard Stiennon, who has seen the survey results, said IPS customers typically analyze filter updates in a lab before deploying them. Sometimes the filter signatures can “break the applications or block protocols,” Stiennon says. “Sometimes they not deployed.”

Stiennon -- who created some controversy five years ago while a Gartner ananlyst when he declared IDSs "dead” -- says this Infonetics survey gives him fuel to fan the flames of criticism once again.

“IDS should be dead because it’s still a failed technology,” Stiennon says, expressing the view that simply logging alerts about attacks is almost always a pointless exercise. “IPS equipment should be doing more to block attacks.”

He also says the TippingPoint equipment was purposely built to be an in-line IPS device but the Cisco equipment was not. Jeff Wilson from Infonetics also agrees that the Cisco IPS is not designed to be in-band and although Cisco is the market leader in IPS, Cisco “has the lowest overall usage of their platform as a true IPS in blocking attack traffic.”