Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Network Intrusion Prevention Systems: When They're Valuable, and When They're Not Print E-mail
User Rating:      How can I rate this item?
Source: Daniel Miessler - Posted by Administrator   
Features Anyone keeping track of the security vendor/technology hype knows that IPS has quickly replaced IDS as the “next big thing�. Depending on who you are, you may chalk this up to yet another infosec fad, or you could be of the opinion that IPS is actually making good on the promises that IDS never lived up to. I think it can be both – depending on your situation.

What NIPS Isn’t

First and foremost, NIPS is not a tool for stopping elite crackers. That may be how it’s being marketed, but it’s crap. If you’re the type to fall for that sort of hype then you’re probably in a lot more danger than any given technology can help you with.

A Simple Question

Whether or not IPS is worthless or a godsend to your organization hinges on a single question – “How good is your organization at staying patched?� This is the single question that organizations need to be asking themselves when considering network intrusion prevention technology.

The reason this question matters is because of the fact that NIPS only protects you against vulnerabilities that you can mitigate by applying patches and/or implementing other controls. If you are a relatively small organization with a highly technical administrative/security staff that keeps your systems constantly patched and locked down, a network IPS can’t offer you much of anything. Despite claims to the contrary, a network IPS system is about as good at stopping zero-day attacks as wordpad.exe.

Remember, stout security teams knows their systems. They read advisories daily and know what’s in the wild and what’s likely to be there soon. A team like this can more than likely patch their systems and/or mitigate the risk to their organization in other ways before a NIPS vendor can release a signature for their product. The benefit gained from someone blocking exploits at the perimeter at that point is virtually null. In short, anything that’s going to compromise a fully patched and locked down system is going to walk right through a NIPS as well.

Help, I Can’t Keep Up!

The true benefit of network IPS lies in what it can do for companies that can’t keep their systems patched. This may sound negative, but it’s almost as if the request for NIPS technology is analogous to the requestor admitting that they cannot stay on top of system administration.

For anyone willing to make this admission, however, the benefits of network IPS are quite significant. Consider a medium to large sized company where upper management doesn’t see the need for additional (see enough) systems and/or security administrators. (This shouldn’t require much imagination, by the way).

In an environment like this, vulnerabilities are likely to go unpatched for weeks, months, or even years – even in the Internet-facing areas. Many things can lead to machines not getting patched in these sorts of companies – developers claiming that the main bread-winning app will break if the patches are applied, administrator fear of being the cause of downtime, apathy, stupidity – take your pick.

The point is, a strategically-placed network IPS – say in front of the Internet-facing environment – can do something absolutely magical for an systems/security staff -- it can buy them time. Consider a site passing a ton of traffic into their DMZ via multiple protocols to dozens or hundreds of machines, and let’s say several of the applications being interfaced with have known vulnerabilities. If the person in charge knows that they lack the ability to patch all the vulnerable systems (inexcusable, I agree), then the NIPS system can effectively serve as a multi-patch gateway.

If the NIPS product has a signature for 34 of the 42 exploits that could potentially root 180 machines, then putting a network IPS at the bottleneck becomes an alternative to 1. getting cracked, and 2. patching. Make no mistake, though – patching is the better solution, but I recognize that there are sometimes circumstances that prevent good admins from doing their jobs. There are also situations where someone who knows the risks lacks the funding to bring admins aboard that can help them keep their systems in top shape. For either of these cases, network IPS seems like an acceptable evil.


So that’s the gist of it – if you keep your systems up to date and have a solid security team, NIPS is nearly worthless. The things you need to worry about are layering your defenses and preparing for the exploits you don’t know about.

If, however, you’re not getting support from management and you know you’re unable to keep your systems patched like you should – a network IPS may be something to look into. It’s a band-aid, to be sure, but if it keeps your company out of the papers then it very well may be worth it.
Daniel Miessler is currently working as a senior information security consultant for a medium-sized California-based company. He holds the CISSP and GSEC security certifications.

Issue is not wheather IPS is worthyWritten by ratna kumar on 2006-06-16 09:11:47
It's abt how to reduce false positives.IDS/IPS have proved there importance,there is no doubt about it. 
vulnerability correlation in IPS will help a great deal in improving them.
Catching the unknowns.Written by John Adamson on 2006-09-04 14:35:28
NIPS like NIDS is not a fire and forget solution. It's strength comes in detecting the use of known vulnerabilities (an ongoing attack). This should attract the attention of a security professional to the source of the attack and hopefully allow them to pick-up on the not known attacks. A fully patched network in which exploit attempts are ignored is just as problematic as using IDS without patching. 
Both is good, either can be livable, but none is unforgiveable.
$8 Glasses Eyeglasses, Cheap $8 Glasses Written by good article on 2009-04-01 03:25:30
eye glasses 
gghghWritten by eeee on 2009-05-07 03:44:10

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.