Run, don't walk, toward IPS security

An intrusion detection system (IDS) won't cut it when it comes to Windows security. Author Jonathan Hassell explains why you must deploy an intrusion prevention system (IPS) ASAP.

This Content Component encountered an error

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are a significant growth area in the security market today -- and there's no sign of a slowdown.

Annual worldwide IDS/IPS product revenue is projected to grow rapidly through 2007, when it will reach $972 million, according to Campbell, Calif.-based Infonetics Research. Yet one of these tools is far more crucial to the success of your Windows security efforts than the other -- and you must adopt it now if you haven't already. I'm talking about IPS.

If you're not familiar with IDS and IPS, they are systems that track attempts to access a network.

IDS: The nerves

An IDS tool works in tandem with other systems you probably have deployed at the edge, including firewalls and routers, and reports to administrators when it encounters suspicious activity that may indicate or result in an intrusion. Think of this type of system like your body's nerve center, which alerts you to problems via pain.

An IDS offers useful alerts, but they're like messages to the President in a Tom Clancy novel: 'A nuclear warhead is on its way to Washington. What are you going to do about it?'

Jonathan Hassell,
site expert and Hardening Windows author

IDS technology is based on a two-decades-old concept of monitoring Windows systems and networks. Most robust, enterprise-class firewall and routing products today include at least some functionality that reports to a monitoring system when bad things begin to happen on the wild side of the edge.

IPS: The white blood cells

An IPS tool goes one step further, identifying potential malfeasance in context so that it can, by itself, direct other systems to shut off an attack. These systems are more closely associated with white blood cells, which actually fend off intruding bacteria, viruses and the like.

IPS technology is relatively new to the scene, primarily because the sophisticated logic and communications required for these tools to make just-in-time decisions and pass commands on to sister devices has only recently become available in the mainstream.

Are we actually seeing more IPS adoption with this wider, richer offering? I don't think we are -- but we should be. Allow me to evangelize.

We have to do more. An IDS offers useful alerts, but they're like messages to the President in a Tom Clancy novel: 'A nuclear warhead is on its way to Washington. What are you going to do about it?' You have to scramble a team, most likely to scour the reports and ascertain more data than the IDS report will give you, identify the affected systems and shut out the attacker. All of this has to take place within an impossibly short amount of time before the attacker is able to cover his tracks enough that you won't be able to know what he's touched. (If you aren't sure if a cracker has been on a machine, assume he has: Guilty until proven without a doubt innocent.)

An IPS can save a lot of that effort, but the real advantage is the speed in which it can perform these actions. I can't imagine a day when security breaches will be handled without any manual intervention whatsoever, but I can predict the day when the breach itself can be stopped within a few seconds of its occurrence, relieving the response team of the urgency to wall off the affected system.

An IPS isn't perfect, but what is? It has to be customized for your specific network design; it has to be aware of what it is commanding; it has to understand the type of traffic you normally sustain; and it needs to be updated on the spot regularly without any sort of problem. An IPS is expensive, mainly because the processor power required to analyze and detect patterns within the traffic constantly driven at the box is not cheap, and it will give you your share of false positives.

An IPS may not be a panacea, but breaches are seen every day and our current solutions aren't cutting it anymore. We need to look to IPS to provide the next step in that quest to harden.

ABOUT THE AUTHOR:
Jonathan Hassell
is an author, consultant and speaker residing in Charlotte, North Carolina. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro Magazine, SecurityFocus, PC Pro and Microsoft TechNet Magazine. He speaks around the world on topics including networking, security and Windows administration.

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close