Stopping the enemy at the gate

Over the past few years, security vulnerabilities have spiralled, writes Bloor Research analyst Fran Howarth. The CERT Co-ordination Centre, a federally-funded R&D centre operated by the Carnegie Mellon University in the US, publishes statistics of security vulnerabilities that are reported to it on an annual basis. In 1995, just 171 such incidences were brought to its attention; by 2003, that figure had risen to 3,784.

This increase in vulnerabilities is causing many companies headaches: there are just too many patches to install; users are often not adhering to policy; fast-spreading worms can create havoc in corporate networks; automated hacking tools are spreading in use; and corporates are increasingly demanding 24/7 connectivity.

Security vulnerabilities can be caused by hackers, worms and viruses attempting to exploit vulnerabilities in systems - and not only have the number of such attacks increased, but also their severity. Technology vendor Microsoft states that, whereas it previously had a timeframe of weeks to provide a patch for a system vulnerability that a hacker has exposed, it now has just a matter of hours to fix the problem. And the problem does not stop there - the SQL Slammer worm unleashed recently exploited a vulnerability for which Microsoft had already created a patch and then went on to infect more than 120,000 within days of being released, as well as disabling a network of ATM machines.

To defend against such attacks, companies are realising that a managed firewall alone does not provide adequate levels of security for business. Rather, they are looking for a complete security approach that includes a firewall, correctly set routers, anti-virus products, security policy, high-speed processors and solutions for preventing intruders.

Intrusion prevention systems (IPS) are not really a new technology, but are more an evolution from existing security technologies, including intrusion detection systems (IDS). IDSs are actually electronic surveillance products that monitor traffic patterns and compare them against known attacks. In a way similar to anti-virus products, they use signatures to recognise traffic patterns, but those signatures must be kept up to date and upgraded when new attacks are identified.

Problems with IDSs include their inability to read encrypted traffic and, with switches being increasingly deployed on networks, the extent of traffic that each IDS can monitor. As a result, companies will be obliged to vastly increase the number of IDSs deployed in order to monitor traffic on all sectors of the network. They are also plagued by the high number of false positives that are generated as they monitor traffic looking for suspicious activity.

Where IPS products come into their own is when automated remediation capabilities are added to the IDS products in use to proactively block attacks before any damage is done. IPSs do this by analysing packets of information within normal network traffic, stopping any traffic from entering the network that shows signs of suspicious activity. In this way, they act rather like deadbolts, preventing unauthorised access to a company's applications.

Within the emerging IPS market, there are two main categories of available products: host-based IPSs and network-based IPSs.

Host-based IPSs

Host-based IPSs protect servers and workstations via software agents that are placed between applications and the operating system's kernel. Based on predetermined rules that are set by an organisation based upon known attacks, they intercept system activity and either allow traffic through or block it, dependent on whether or not it conforms to the rules set. Such activities can include net network connection requests, attempts to read or write to memory, or access to specific applications.

Whilst IDSs can only protect against known attacks, host-based IPSs may be used to monitor the environment around applications, such as file locations and Registry settings, to look for types of attacks that are unknown and for which no signature of 'acceptable behaviour' has yet been written.

However, there are many downsides to host-based IPSs. Since they must be deployed on every server that is to be protected from attack, they are costly to implement and cumbersome to maintain. They must also be constantly updated to ensure that signatures have been written for all known attacks, including new worms, viruses and other vulnerabilities as they become known. Also, since they are installed on individual parts of the network, they cannot be used to prevent an organisation-wide attack aimed at the network in general, such as a denial of service attack.

Other problems are that they may block legitimate traffic if a signature has not been developed for a particular type of activity that was previously unknown. Also, since they must be installed on particular parts of the network that a company wishes to protect, they are not particularly effective at preventing attacks originating inside a network - something of particular concern to organisations.

Network-based IPSs

Network-based IPSs - sometimes known as inline IPSs - work like a typical firewall in that they are designed to prevent a network from being attacked. They intercept all network traffic, scanning it for suspicious activity and either blocking it or passing it along. Different network-based IPSs use different techniques, from scanning signatures to look for suspicious strings of bytes to looking for protocol anomalies by detecting where a packet of data is trying to perform a command not normally permitted by its data transmission protocol.

Some systems will search for suspicious activity, such as a hacker trying to enter through an open port, and will send a specially coded and tagged response - which will also identify the hacker should they try to repeat the attack. Another particular feature of such IPSs is that they can be used to scrub packets of information, rewriting the offending packet so that it will not be able to carry out its attack. This can be performed without the attackers knowledge, enabling a company to tag activity and gather evidence against a particular attacker.

Since network-based IPSs sit inline, all data packets crossing the network will need to pass through them, making them more effective than host-based IPSs for preventing attacks originating inside an organisation. However, this fact that all network traffic must pass through the IPS means that implementation of such a system may negatively impact the network's performance. As a result, some organisations are moving towards the use of appliances that support gigabit speeds, rather than software. Both hardware and software inline IPS devices are available on the market. There is also the danger that legitimate traffic that is not recognised may be blocked - potentially shutting down a customer connection and losing a company business.

The future of IPSs

Since IPSs are a relatively new technology, it is not yet certain how it will evolve. Some commentators are looking to next-generation firewall products that allow deep inspection of data packets. One of the reasons for this is that the IPSs on the market today require a great deal of effort in configuring and updating policies and signatures, leading many to doubt their usefulness. The goal for organisations is to implement a single technology that acts as a gateway to the organisation, applying security policies and protecting networks and applications from any attacks.

© IT-Analysis.com