Intrusion prevention systems get closer to the client -- and, in some cases, further from the internal network

The network IPS isn't like the firewall -- it's not a must-have security device found in most every enterprise network. Even so, today's intrusion prevention system is still gaining new features and becoming more tightly integrated into the security infrastructure.

The IPS is sharing more traffic attack data with the firewall and gaining virtualization features, horsepower, and enhancements to become more application-aware, as well as to help secure client machines. Compliance has helped keep the IPS alive and well, despite predictions of its demise over the years.

And it could be the federal government that gives IPSes a big boost: The U.S. Department of Homeland Security is currently testing out an IPS system called EINSTEIN 3 that could eventually be deployed across all executive branch civilian networks. Even so, some security experts remain skeptical about the IPS finding a real home in the enterprise.

"We definitely do not see more organizations deploying IPS," says Thomas Ptacek, principal with Matasano Security. "If you ask a network penetration tester what security technology they actually think about when breaking into a remote network, 'firewall' will be the first thing they say. I'd be surprised if they say 'IPS' at all."

The intrusion detection system (IDS), which spits out event alarms but doesn't take action on them like an IPS does, is still more likely to be sitting in an enterprise network than an IPS. Ptacek says the IDS is less invasive to the network architecture "because you don't have to rearchitect your network to deploy them, and you can outsource their management to third parties," he says. IPSes change the way traffic is routed in a network, he says, and third parties can't necessarily control those devices.

Meanwhile, IPS vendors aren't exactly leaving the device dead in the water. They are rolling out new features that let the IPS share with other security tools and operate in more places around the network. IDS/IPS maker Sourcefire, for instance, today announced its IPS packet-event analysis has been integrated with Solera Networks' forensics software. This lets investigators see every packet before, during, and after an attack. Steve Shillingford, president and CEO of Solera, likened this new instant replay feature to "a DVR or surveillance for their network."

Virtual IPSes, as well as support for virtualized environments, are popping up as well. Steve Piper, senior director of products at Sourcefire, says virtual IPS requirements are on the rise, in part, due to PCI's guidelines for virtualization. Sourcefire's VMware and XEN virtual IPSes are aimed at cloud computing environments, he says. "Now an MSSP [for example] can have five clients and five VMs on one box with all the data as segmented. The IPS will be able to leverage virtualization and protect them as well," he says.

Like firewalls, IPSes are starting to recognize application services. Sourcefire recently added detectors for applications and HTTP services in the latest version of its IPS software, and HP TippingPoint's IPSes can see what application is running by inspecting the traffic, says Greg Adams, director of security product management for HP TippingPoint. "We're seeing the trend moving in that direction -- is Facebook allowed," etc., he says. "You have to have visibility and have to connect users and policy. At the end of the day, it's really about connecting users and data."

In the same vein, the next generation of IPSes will be more client security-driven, IPS vendors say. Pentti Lehtinen, technical architect at Stonesoft Americas, says IPSes first moved from just the perimeter to inside to protect email and other corporate servers. Now the IPS is moving deeper inside as another layer to protect against client-side attacks, he says.

"This means the IPS needs to have SSL inspection ... It needs to look inside HTTP-S traffic," Lehtinen says. "And it needs to understand peer-to-peer communications."

Client-side IPS protection requires more scalable bandwidth than server-side, he says. "On the server side, we know how much bandwidth -- it's controlled. But the amount of traffic on the client side is increasing all the time."

The IPS should support the inspection of traffic running in IPv6, which is enabled in Windows 7 and newer versions of Linux, Lehtinen says. "Hackers may use IPv6 to communicate inside an organization, so the IPS needs to understand and see inside IPv6 connections," he says.

And the cloud is playing a bigger part in the IPS' deployment. Econet's Sentinel IPS uses what it calls "collective intelligence" -- similar to what antivirus vendors do to anonymously gather threat and attack intelligence from their customers' networks to help them respond with new signatures to threats more quickly. The company's IPS sits outside the firewall.

David Lissberger, president of Sentinel IPS, says his firm's IPS approach is different from others in that it runs the IPS operations for its clients, mainly state and local governments as well as the feds. "We manage and make sure the device is working properly," he says. "It's difficult for a traditional IPS vendor to utilize their collective installed base because they don't control the devices [like we do]."

Sentinel IPS is currently working on a project with state government agencies to manage and track IP reputations in real-time from the cloud. "We hope to develop a cloud of IP addresses that shouldn't be talking to networks," Lissberger says. It will be based on the CI information gathered by Sentinel's IPSes, which make the networks "invisible" to attackers once a threat is detected, he says.

One county government agency CSO who runs the Sentinel IPS says he uses an IPS because firewalls are not "the be-all, end-all."

"Everyone is 'knocking' on our door all the time," he says. "If [the IPS] finds malicious traffic, like a SQL injection, coming from the outside, it drops the traffic. There's no packet resend ... and any other packets from that IP address are dropped. We go dark to the bad guy."

He says he could get a similar function with Sourcefire IPS and other tools, but those tools tend to be for running inside the internal network. "Sentinel literally runs outside, between my network and the perimeter router. It doesn't even get [bad traffic] to my firewall, so the amount of work for my firewall goes way down," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights