• United States
Senior Editor, Network World

Adoption of IPS increasing, cautiously

Nov 17, 20036 mins
Network Security

Blocking attacks with intrusion-prevention systems rather than simply monitoring for them with intrusion-detection systems is slowly gaining ground inside corporations and government agencies, despite worries about disrupting legitimate traffic.

Blocking attacks with intrusion-prevention systems rather than simply monitoring for them with intrusion-detection systems is slowly gaining ground inside corporations and government agencies, despite worries about disrupting legitimate traffic.

But many organizations often don’t use the full blocking capability of these products, whether installing them in a firewall-based Internet zone or deep inside a corporate LAN. To gain confidence that blocking won’t backfire on them with false positives, organizations are using IPS in what’s called mixed or bridge mode. This lets them stymie a portion of attack traffic, such as computer worms, but otherwise lets the IPS work like an in-line IDS.

“Don’t switch to the blocking in the IPS until you really need it, say, to block worms like SQL Slammer,” advises Lloyd Hession, chief security officer for Radianz, whose global network connects about 5,000 financial firms around the world. “These devices become a lightning rod inside an organization, and it’s typical to blame the IPS for any problem.”

Radianz has used an IPS inside its network for more than three years, in this case a software-based product called Guard made by Internet Security Systems (ISS). Hession says he’s migrating from the Guard equipment to the ISS Proventia G200 appliance, scheduled to ship next week. Unlike Guard, the 200M bit/sec Proventia G200 can work in mixed mode, simultaneously blocking and monitoring. It also can be set up as a passive IDS.

Tips for using IPS products
Initially use an IPS in mixed mode — that is, with both active blocking and passive intrusion detection — to gain confidence that it won’t block legitimate traffic.
Make sure the IPS is flexible enough for custom-designed attack prevention.
Do both lab and production tests before full deployment.
If the selected network IPS works out, experiment using it without a firewall or IDS.
Prepare to face situations where, because of its novelty, the IPS will be the scapegoat for any number of network and application problems.

Out of the box, the $12,000 Proventia G200 is set to ban 100 threats, such as worms, peer-to-peer traffic, Trojans and instant messaging. But it also can be set up for in-line simulation, reporting on what it would have blocked if it had been allowed.

Products abound

There is a hodgepodge of blocking-capable products – some are more network-based, such as those from Captus Networks, ForeScout Technologies, ISS, NetScreen Technologies, Network Associates, Top Layer Networks and TippingPoint Technologies. Others are more application-layer, such as those from Cisco, KaVaDo, NetContinuum, Sana Security, Sanctum and Teros. Check Point is adapting its firewall to behave more like an IPS.

In a broad sense, they all face an uphill battle for acceptance, just as the firewall did a decade ago when it was decried as a hindrance to network traffic and application access.

“For those using IPS, by the time they’ve mastered the subject of blocking, they’re being blamed for everything,” says John Dias, security analyst at Lawrence Livermore National Laboratory in Livermore, Calif., which is testing the NetContinuum appliance for use in a future Department of Energy portal based on Web services and Oracle applications.

Dias, who’s also active within the Organization for the Advancement of Structured Information Standards group defining XML-based standards, says the completion of the Application Vulnerability Definition Language (AVDL), which likely will occur early next year, will help IT managers use application-layer IPSs.

“AVDL will allow you to write your own rules for scanners, which in turn will let you write rules for allowing traffic through your application,” Dias says.

In the meantime, some network executives who have deployed IPSs wonder what the false-positives fuss is all about.

Patelco Credit Union in San Francisco, which has 200,000 customers using its online home-banking application, deployed earlier this year the ForeScout IPS appliance in front of its firewall – a move that stopped the Blaster worm in its tracks.

“It blocks everything it sees as hostile, and we’ve never had a problem with it blocking legitimate traffic,” says John Shields, senior vice president of e-commerce. However, Patelco first started using the ForeScout appliance in monitor mode, only adding blocking once the IT department gained confidence in the product.

Dias and Shields say IPSs should be flexible enough to allow for customization. For instance, Patelco can configure ForeScout to recognize scanning from an outside service that checks the quality of network and application availability periodically.

When first using an IPS, companies tend to limit use to the mixed mode of blocking some and monitoring some. This is the case at the Web site, which earlier this month started using the TippingPoint IPS appliance.

“There are some things, such as [Internet Control Message Protocol] messages, that I just want to be notified about,” says Carlton Houston, the Web site’s security specialist. He says he likes that TippingPoint can capture suspicious datastreams for later review.

Even though some IPSs could replace an IDS and firewall, corporations are hesitant to stop buying the other products. “We’ll continue to use IDS and firewalls,” Houston says. “We use the Lancope StealthWatch, and it’s one of our best intelligence tools.”

But Radianz’s Hession says one reason he’s looking forward to fully rolling out ISS’ Proventia G200 is that he probably will be able to stop buying Layer 2 firewalls. “I’ll save a fortune,” he says.

False positive?

The issue of false positives is likely to dog IPS as it has IDS. However, companies are also likely to make some interesting discoveries using IPS.

That’s what happened at medical analysis equipment manufacturer Osmetech in Roswell, Ga., which has been beta-testing the I00M bit/sec Proventia M50 appliance from ISS.

According to Dax Sharpe, Osmetech’s IT manager, the IPS kept blocking one remote user trying to access Osmetech’s network via a VPN. While the IT staff first wondered if the IPS was to blame, it turned out the user’s laptop was infected with about 50 viruses, worms and Trojans, which were trying to attack Osmetech’s intranet.

“Everyone has the false-positive scare going on,” Sharpe says, although sometimes IPS products show that problems are positively real.