RE: Intrusion Prevention Systems

["Andrew Plato" <aplato () anitian com>]

> From: Stephen P. Berry [mailto:spb () meshuggeneh net] 

> The way I see it (and by `see' here I mean `grossly simplify 
> for the sake of the argument'), there are two main flavours 
> of machine you might want to protect with one of these gimcracks:
>
>       -Critical services.  I.e., a company's online store or something
>        like that.  If this thing goes down, some marketing droid
>        immediately appears in your office/cube, and starts reciting
>        figures about how the company starts losing nineteen 
> megadoubloons
>        a fortnight during outages.  So this is the stuff you're really
>        worried about.
>         -Random desktops.  I.e., everything else.  The mean 
> time between
>        outages depends on when the lusers last took their medication,
>        and someone else fields the calls for this stuff.

I would agree with your assessment Stephen. However, I think we need to
differentiate Network-based IPS (NIPS) from Host-based IPS (HIPS). 

I don't think we'll be seeing those acronyms on any marketing brochures
anytime soon. :-) 

NIPS are usually in-line firewall/IDS hybrids that can defend systems
en-masse. HIPS are usually software that can react to funny behavior and
defend the system (usually using some kind of firewall or TCP kill.)  

I see NIPS products like Guard as "special-use" systems designed to
offer a "special" layer of protection to critical systems or systems
that are prohibitively difficult to individually secure. 

The examples I like to point out are:

1. Critical mainframes: These systems are often the lifeblood of
financial organizations yet lack a lot of security mechanisms as they
are complex and use arcane software. An IPS in front of one of these
systems can help defend it from random attacks or even snooping
employees. 

2. Critical segments: I have one client that has a big bank of Linux
clustered machines. These are highly complex system that has a very
specific purpose. Due to the complexity of these systems, it is
prohibitively difficult to secure each machine individually. Therefore,
a Guard unit can be slapped in front of the entire segment and help
defend the entire cluster. 

3. Temporary defense: Another usage of IPS is in a temporary defense
situation. For example, one customer has a DMZ where they are deploying
web applications. They need to test and evaluate the use of these
applications across the Internet but fear hacks while those systems are
in testing. An IPS can offer a temporary defense layer that can analyze
what is coming in and help harden those applications from attack. 

What these products are NOT is a replacement for a firewall or IDS. They
are just another option admins can use to help make a network a more
resistant and resilient to intrusion.

HIPS is a whole different story. In some respects, HIPS is a bit easier
to handle and has had more success. Entercept, for example has done
quite well with their behavior-based IPS solutions. ISS of course has
RealSecure Server Sensor and Desktop Protector which are essentially IPS
products. 

Where HIPS goes astray is when people mix up HIPS with the "personal
firewall" market. A HIPS product like Entercept is NOT a personal
firewall like ZoneAlarm or Tiny. Zone is a big, dumb lock for home users
to feel cozy that their DSL isn't being hacked by script kiddies. It is
not an IPS. 

> Now I'm not suggesting that it's worthless or -harmful- to 
> deploy an IPS in such a situation---just that there isn't 
> much to justify the pain and expense of such a deployment.  
> If this is -not- the case, then I'd submit that you've 
> probably made a nonzero number of GCEs in the implementation 
> of your network.

There is pain with an IPS installation. But, there is pain ANYTIME you
change the dynamics of a network. This is why IPS has to be considered
and implemented carefully. But you could say that about any new or
emerging technology. Early adopters are going to feel more pain, but
they will also be ahead of the curve.  

The expense can be justified if you consider that it delivers a level of
peace of mind. Although there are always ways to thwart these
technologies, they do offer an increased degree of security than if they
weren't there at all. That translates into some peace of mind,
which...however intangible or questionable...has value. 

__________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation
 
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com 
_______________________________