Skip Links

Building an IDPS without big iron

By Livio Ricciulli, president and chief scientist at MetaFlows Inc., special to Network World
February 13, 2012 01:56 PM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Companies seeking to deploy intrusion detection and prevention systems (IDPS) for network security have traditionally had to rely on proprietary appliances that cost from $15,000 to $50,000. That puts IDPS out of reach for many small to midsize companies, but SaaS-based alternatives might fit the bill.

In fact, SaaS solutions address some of the key limitations of hardware-based network security products, including:

* Excessive amounts of false positives and the lack of support for analyzing the large volumes of security events they generate. Because networks and networked applications continuously change and evolve, it is practically impossible to devise an expert system that can effectively distinguish legitimate vs. malicious intent. To exemplify how difficult this is (relating it to a more familiar context), imagine a medical diagnosis expert system that would need to continuously learn new diseases every week, each of which mutates and develops new symptoms every few days. This is why event correlation is hard and why IDPS today are mostly relegated to logging data for forensic analysis.

STUDY: IT pros believe data breach harm assessment is more valuable than victim notification

* Difficult to configure, provision, and tune. Network security devices need to be adapted to a wide range of accepted network usage policies and network reconfigurations. For example, music file-sharing applications might be acceptable within a university network but not acceptable in a law office. Many network security devices require continuous updates to heuristic and topological information to be effective, thus making their management a huge burden.

* Inability to detect and prevent attacks which originate from within the organization. It is reported that the most damaging intellectual property loss and fraud results from internal employees' malicious activity. Unfortunately, current network security systems are limited in their scope and only look at traffic coming in and out of the gateways to the Internet while they leave internal security completely open. [Also see: "Security quiz: How well do you know the insider threat?"]

* High cost. A typical network security device costs $15,000-$50,000 per Gigabit per second in capital expenditure. The hardware quickly becomes obsolete as the bandwidth to analyze increases exponentially, thus requiring costly equipment refresh cycles. In addition, many businesses are priced out of this market because of the high cost of hardware and software maintenance updates.

New, SaaS-based models for delivering IDPS functionality provide the ability to run IDPS software on off-the-shelf hardware or cloud instances. Under this model, the software is purchased by monthly or annual subscription, thus eliminating the high capital cost of a dedicated appliance.

A SaaS-based system consists of a downloadable sensor that tracks internal security traffic on the network, a cloud-based correlation engine that analyzes and correlates security events, and a secure Web browser where the security information is viewed and analyzed by the security administrator.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News