Even though intrusion detection as a category of security tools has largely disappeared, security administrators are still struggling with the question of when intrusion detection is enough and when to go to intrusion prevention.
Intrusion detection only monitors network traffic and alerts administrators to suspicious activity. Intrusion prevention sits in-band and can actually block suspicious traffic. As intrusion prevention tools gained popularity, intrusion detection products took on some of their blocking capabilities, blurring the distinction.
“The lines that used to be there between intrusion detection and intrusion prevention have largely disappeared,” says Gary McIntyre, lead architect for security services at IBM Canada Ltd. in Markham, Ont.
That does away with the dilemma of what type of product to buy, but it only delays the decision. Once you have acquired the software, do you configure it as full-fledged intrusion prevention able to block suspicious traffic, or as essentially an intrusion-detection tool with little or no blocking enabled?
“We’re still seeing a lot of environments using devices that could do intrusion prevention but actually using them for intrusion detection,” McIntyre says. “What used to be a technical limitation is now a philosophical decision.”
At first glance the question may seem silly. If you have a security product capable of blocking an attack, why would you want it to let suspicious packets through and just send an alert? As the saying goes, you don’t buy a dog and then bark yourself.
Richard Stiennon thinks that’s the right way to look at it. Now chief research analyst at his own Birmingham, Mich., research firm, IT-Harvest, Stiennon was an analyst with the prominent IT consulting firm Gartner Group Inc. when, a few years ago, he declared intrusion detection dead. He still considers it a failed technology. “A dollar spent on IDS is a dollar wasted,” Stiennon says.
That applies whether you’re acquiring a product that can’t block suspicious traffic — though those hardly exist any more — or acquiring one that can but using it in an alert-only mode. By the time a security staffer gets an alert and takes action, Stiennon says, the machine under attack probably is already compromised. And if you simply monitor traffic and generate alerts when something looks dangerous, security staff must spend time checking out those alerts.
As customers automate prevention, “they can move their resources around to do more valuable things,” argues James Collinge, director of product line management at IPS vendor TippingPoint, a unit of 3Com Corp. in Marlboro, Mass.
It works for the Toronto-based Independent Electricity System Operator (IESO), which manages Ontario’s electricity market and infrastructure. The IESO implemented TippingPoint about six months ago, says Ben Blakely, information security officer, running it in alert-only mode for a brief trial period and then moving to full IPS mode.
“We haven’t even had a false positive yet,” Blakely says, and the approach avoids taking up valuable staff time looking at alerts.
Sounds entirely reasonable, so why did a study conducted for TippingPoint earlier this year by Campbell, Calif.-based Infonetics Research find that just under three quarters of surveyed organizations actually used the full power of their IPS filters to block attacks?
Often it’s fear of blocking the wrong traffic, says Jeff Wilson, Infonetics’ principal analyst for network security. The filters use several ways of identifying potentially dangerous traffic, including signatures of known exploits and vulnerabilities and unusual behaviour such as non-standard use of network protocols. Sometimes they will block legitimate activity.
IPS vendors often advise customers to start by implementing the systems in alert-only mode, examine what traffic generates alerts, and then turn on blocking bit by bit as they make sure legitimate applications won’t be affected. “Even though all of our equipment is sold as an IPS, most of our equipment — I would say 80 per cent — is deployed initially as an IDS,” says Ali Afshari, security analyst at Cisco Systems Canada Co. As customers gain confidence, they turn on blocking. As IPS matures, there’s less need to do that, Wilson says. And Stiennon goes farther. “I’m a security guy and I think security first,” he says.
“There’ll be two or three per cent of the time that you’ll block applications that were using weird protocols.” Maybe, he says, the right way is to turn on blocking initially, then make adjustments where legitimate applications are affected. There are also a few cases where monitoring is enough. Even Stiennon says that for monitoring application behaviour behind the firewall, “a type of IDS is useful.”
McIntyre says IPS works best at choke points in the network, whereas simple detection may be best in areas where it’s not so clear where traffic is going or what is good and bad. Michele Perry, chief marketing officer at Sourcefire Inc., a Columbia, Md., IPS vendor, says it’s not a simple matter of blocking known attacks and ignoring everything else — security administrators often need a way of monitoring traffic that they wouldn’t want to block outright.
An alert-only deployment may be a good way to spot insider threats by flagging abnormal behaviour, she suggests. “We believe you should have one product,” Perry says, “but you’re going to deploy in different ways in different parts of your network.”