Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/16/2010
07:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Next-Generation IPS

Intrusion prevention systems get closer to the client -- and, in some cases, further from the internal network

The network IPS isn't like the firewall -- it's not a must-have security device found in most every enterprise network. Even so, today's intrusion prevention system is still gaining new features and becoming more tightly integrated into the security infrastructure.

The IPS is sharing more traffic attack data with the firewall and gaining virtualization features, horsepower, and enhancements to become more application-aware, as well as to help secure client machines. Compliance has helped keep the IPS alive and well, despite predictions of its demise over the years.

And it could be the federal government that gives IPSes a big boost: The U.S. Department of Homeland Security is currently testing out an IPS system called EINSTEIN 3 that could eventually be deployed across all executive branch civilian networks. Even so, some security experts remain skeptical about the IPS finding a real home in the enterprise.

"We definitely do not see more organizations deploying IPS," says Thomas Ptacek, principal with Matasano Security. "If you ask a network penetration tester what security technology they actually think about when breaking into a remote network, 'firewall' will be the first thing they say. I'd be surprised if they say 'IPS' at all."

The intrusion detection system (IDS), which spits out event alarms but doesn't take action on them like an IPS does, is still more likely to be sitting in an enterprise network than an IPS. Ptacek says the IDS is less invasive to the network architecture "because you don't have to rearchitect your network to deploy them, and you can outsource their management to third parties," he says. IPSes change the way traffic is routed in a network, he says, and third parties can't necessarily control those devices.

Meanwhile, IPS vendors aren't exactly leaving the device dead in the water. They are rolling out new features that let the IPS share with other security tools and operate in more places around the network. IDS/IPS maker Sourcefire, for instance, today announced its IPS packet-event analysis has been integrated with Solera Networks' forensics software. This lets investigators see every packet before, during, and after an attack. Steve Shillingford, president and CEO of Solera, likened this new instant replay feature to "a DVR or surveillance for their network."

Virtual IPSes, as well as support for virtualized environments, are popping up as well. Steve Piper, senior director of products at Sourcefire, says virtual IPS requirements are on the rise, in part, due to PCI's guidelines for virtualization. Sourcefire's VMware and XEN virtual IPSes are aimed at cloud computing environments, he says. "Now an MSSP [for example] can have five clients and five VMs on one box with all the data as segmented. The IPS will be able to leverage virtualization and protect them as well," he says.

Like firewalls, IPSes are starting to recognize application services. Sourcefire recently added detectors for applications and HTTP services in the latest version of its IPS software, and HP TippingPoint's IPSes can see what application is running by inspecting the traffic, says Greg Adams, director of security product management for HP TippingPoint. "We're seeing the trend moving in that direction -- is Facebook allowed," etc., he says. "You have to have visibility and have to connect users and policy. At the end of the day, it's really about connecting users and data."

In the same vein, the next generation of IPSes will be more client security-driven, IPS vendors say. Pentti Lehtinen, technical architect at Stonesoft Americas, says IPSes first moved from just the perimeter to inside to protect email and other corporate servers. Now the IPS is moving deeper inside as another layer to protect against client-side attacks, he says.

"This means the IPS needs to have SSL inspection ... It needs to look inside HTTP-S traffic," Lehtinen says. "And it needs to understand peer-to-peer communications."

Client-side IPS protection requires more scalable bandwidth than server-side, he says. "On the server side, we know how much bandwidth -- it's controlled. But the amount of traffic on the client side is increasing all the time."

The IPS should support the inspection of traffic running in IPv6, which is enabled in Windows 7 and newer versions of Linux, Lehtinen says. "Hackers may use IPv6 to communicate inside an organization, so the IPS needs to understand and see inside IPv6 connections," he says.

And the cloud is playing a bigger part in the IPS' deployment. Econet's Sentinel IPS uses what it calls "collective intelligence" -- similar to what antivirus vendors do to anonymously gather threat and attack intelligence from their customers' networks to help them respond with new signatures to threats more quickly. The company's IPS sits outside the firewall.

David Lissberger, president of Sentinel IPS, says his firm's IPS approach is different from others in that it runs the IPS operations for its clients, mainly state and local governments as well as the feds. "We manage and make sure the device is working properly," he says. "It's difficult for a traditional IPS vendor to utilize their collective installed base because they don't control the devices [like we do]."

Sentinel IPS is currently working on a project with state government agencies to manage and track IP reputations in real-time from the cloud. "We hope to develop a cloud of IP addresses that shouldn't be talking to networks," Lissberger says. It will be based on the CI information gathered by Sentinel's IPSes, which make the networks "invisible" to attackers once a threat is detected, he says.

One county government agency CSO who runs the Sentinel IPS says he uses an IPS because firewalls are not "the be-all, end-all."

"Everyone is 'knocking' on our door all the time," he says. "If [the IPS] finds malicious traffic, like a SQL injection, coming from the outside, it drops the traffic. There's no packet resend ... and any other packets from that IP address are dropped. We go dark to the bad guy."

He says he could get a similar function with Sourcefire IPS and other tools, but those tools tend to be for running inside the internal network. "Sentinel literally runs outside, between my network and the perimeter router. It doesn't even get [bad traffic] to my firewall, so the amount of work for my firewall goes way down," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Dueling Free Throws A riff on the song Dueling Banjos
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.