‘Intrusion prevention’ raises hopes, concerns

New intrusion-detection systems that go beyond monitoring attacks to actually blocking them have network executives intrigued, but some worry that the devices could quash legitimate traffic, cause network latency and present a single point of failure.

Unlike traditional IDS products that stay out of the way of network traffic, passively monitoring the traffic going by and leaving the blocking of attacks to routers or firewalls, these new “intrusion-prevention” systems inspect traffic directly as it makes its way from outside a corporate LAN to end users’ desktops.

The latest vendors to air plans for such intrusion-prevention appliances are Top Layer Networks and Sourcefire. Top Layer, which already makes a variety of network security devices, next week plans to announce appliances focused on HTTP Port 80 attacks, computer worms and other signature attacks it says companies will not hesitate to block. Separately, Sourcefire Founder and CTO Martin Roesch – who has commercialized the Snort intrusion-detection freeware he developed – divulged that the company is readying an intrusion-prevention device for early next year. These companies follow others such as Internet Security Systems (ISS), IntruVert, NetScreen Technologies and TippingPoint Technologies into the market.

For organizations seeing no slowdown in attacks, it may be hard to pass up new offerings despite reservations being expressed.

“Passive monitoring just wasn’t accomplishing anything,” says Stephen Olsen, IT director at The Las Vegas Review Journal, which has used the NetScreen IDP-100 to guard its multimegabit Internet access connection. But the Review is using the product to block only a modest portion of known attacks because of concern about dropping legitimate traffic for the Web sites the publication manages.

With the FBI’s help, the Review is chasing down and prosecuting a hacker who had attacked the publication via the Internet. The IDP-100-generated report helped provide evidence about the hacker’s activity, although the strongest evidence probably came from packets originating from the hacker’s IP address that weren’t blocked as opposed to those that were, Olsen says.

Such issues will come to the forefront as more companies try intrusion prevention.

“If you have critical traffic flowing through critical ports, you have to be concerned about the potential of false positives,” says Lloyd Hession, chief security officer at Radianz in New York, which uses the ISS Guard blocking appliance in a fail-safe mode on certain segments of the global IP network it runs for 5,000 financial firms. “With in-line intrusion detection, the real danger is that you’ve added an extra hop, increasing latency and introducing a single point of failure.”

Hession says that while the Guard product has proven its worth by shutting out the Nimda worm, among others, he’s not ready to make intrusion prevention ubiquitous on the Radianz network, given the sensitive nature of the data flowing across it.

“There are latency issues with these devices,” he says. “You add a significant delay when you bring one of these into your network.”

Still, users say the risks involved with moving to the new products are acceptable given the shortcomings of traditional IDS products, which send alerts signaling that any of the more than 1,000 known attacks or denial-of-service (DoS) dangers might now be at a company’s door.

“If you have to wait for a router or firewall to stop some of these attacks, you’re lost,” says Chris Da Silva, network manager at California State University at Hayward, which is installing IntruVert’s IntruShield in front of a firewall to help protect an OC-12 used for Internet access. DoS attacks have blasted routers and firewalls off-line too frequently, he says.

“These first-generation devices could just sit in passive mode, waiting,” says Jim Graves, vice president of IT at the Englewood, Colo., real-estate investment firm Archstone-Smith, which a month ago installed TippingPoint’s intrusion-detection appliance to monitor and actively block suspicious traffic over three T-1s. “We were skeptical at first about intrusion prevention. But so far the TippingPoint device has been stable, blocking thousands of known attacks.”

Graves says Archstone-Smith blocks 720 known attacks and counted about 500 blocks per day. He has yet to see any evidence that legitimate traffic is being filtered inadvertently.

In the past, Archstone-Smith used passive-monitoring IDS products, including Cisco’s, with software programmers writing access-control scripts so the IDS could send instructions to the firewall and router to block suspicious traffic. Using TippingPoint has eliminated script writing.

But Graves acknowledges that using in-line intrusion prevention brings the risk that when the device fails for whatever reason, the entire segment to which it is connected could be disrupted.

“It’s a single point of failure, and you then have to unplug it,” he says. But TippingPoint, like other vendors, is said to be working on clustering capabilities to address such concerns.