Intrusion Prevention Systems complete security

No longer is a managed firewall adequate to protect a customer’s vital network and information assets. A complete security offering requires a multiple-layer approach that includes an intrusion detection or prevention solution.

No longer is a managed firewall adequate to protect a customer’s vital network and information assets.  A complete security offering requires a multiple-layer approach that includes an intrusion detection or prevention solution.  Service providers who provide less than a complete offering run the risk of becoming irrelevant as these additional measures become critical to enterprise security.

Firewalls and routing filter policies fail to stop many types of attacks due to their static nature – you set up the policies and they don’t change until someone physically changes them.  There may be a long (hours) and convoluted process to follow between the time an attack is detected and remediation can occur.  Worse, these technologies don’t check for backdoor or internal attacks that may wreak havoc throughout a network without breaking perimeter security. 

Most intrusion detection systems sound an alarm when they detect anomalies in network traffic anywhere in the customer’s network.  They do detect many types of attack, but unfortunately, they also sound many false alarms.  One source of value-add for service providers is the ability to differentiate real attacks from false alarms and quickly act to minimize damages.  Due to the large number of false alarms, however, this would be an expensive service. And it would be difficult to find a niche for it between companies with large in-house security staffs and price-sensitive small to midsized companies.

A service based on the newly emerging Intrusion Prevention Systems (IPS) may find a more fertile market.  Companies such as TippingPoint, OneSecure, ForeScout and Intruvert offer systems that can autonomously drop attacking packets.  Others, such as Ingrian, focus specifically on traffic to and from Web sites.

Important to most of the IPS solutions is the availability of very high-speed processors.  The processor speed allows packets to be analyzed at wirespeed.  In the case of ForeScout, suspicious activity triggers the system to send information that identifies future traffic from the address as an attack.  In any case, configuring the tool to ward off attacks without blocking innocent traffic is an area where service providers can save enterprises time and money.

Intrusion detection systems make use of vast amounts of information available about security vulnerabilities.  The number of security incidents does not go to zero when the security flaw is repaired and notification broadcast.  New software is continually made available with known security holes.  System administrators continue to configure networks so as not to disallow known attacks.

The service provider can’t prevent an enterprise from implementing flawed software or configurations, but can be the enterprise’s champion when and if the vulnerability is exploited.  A combination of a formal security policy, correctly configured router, firewall, and intrusion prevention system will provide the best protection possible to a network and its connected hosts, and offers many opportunities for service provider value-add.