Network Intrusion Prevention Systems: When They're Valuable, and When They're Not
Source: Daniel Miessler - Posted by Administrator   
Features Anyone keeping track of the security vendor/technology hype knows that IPS has quickly replaced IDS as the “next big thing�. Depending on who you are, you may chalk this up to yet another infosec fad, or you could be of the opinion that IPS is actually making good on the promises that IDS never lived up to. I think it can be both – depending on your situation.

What NIPS Isn’t

First and foremost, NIPS is not a tool for stopping elite crackers. That may be how it’s being marketed, but it’s crap. If you’re the type to fall for that sort of hype then you’re probably in a lot more danger than any given technology can help you with.

A Simple Question

Whether or not IPS is worthless or a godsend to your organization hinges on a single question – “How good is your organization at staying patched?� This is the single question that organizations need to be asking themselves when considering network intrusion prevention technology.

The reason this question matters is because of the fact that NIPS only protects you against vulnerabilities that you can mitigate by applying patches and/or implementing other controls. If you are a relatively small organization with a highly technical administrative/security staff that keeps your systems constantly patched and locked down, a network IPS can’t offer you much of anything. Despite claims to the contrary, a network IPS system is about as good at stopping zero-day attacks as wordpad.exe.

Remember, stout security teams knows their systems. They read advisories daily and know what’s in the wild and what’s likely to be there soon. A team like this can more than likely patch their systems and/or mitigate the risk to their organization in other ways before a NIPS vendor can release a signature for their product. The benefit gained from someone blocking exploits at the perimeter at that point is virtually null. In short, anything that’s going to compromise a fully patched and locked down system is going to walk right through a NIPS as well.

Help, I Can’t Keep Up!

The true benefit of network IPS lies in what it can do for companies that can’t keep their systems patched. This may sound negative, but it’s almost as if the request for NIPS technology is analogous to the requestor admitting that they cannot stay on top of system administration.

For anyone willing to make this admission, however, the benefits of network IPS are quite significant. Consider a medium to large sized company where upper management doesn’t see the need for additional (see enough) systems and/or security administrators. (This shouldn’t require much imagination, by the way).

In an environment like this, vulnerabilities are likely to go unpatched for weeks, months, or even years – even in the Internet-facing areas. Many things can lead to machines not getting patched in these sorts of companies – developers claiming that the main bread-winning app will break if the patches are applied, administrator fear of being the cause of downtime, apathy, stupidity – take your pick.

The point is, a strategically-placed network IPS – say in front of the Internet-facing environment – can do something absolutely magical for an systems/security staff -- it can buy them time. Consider a site passing a ton of traffic into their DMZ via multiple protocols to dozens or hundreds of machines, and let’s say several of the applications being interfaced with have known vulnerabilities. If the person in charge knows that they lack the ability to patch all the vulnerable systems (inexcusable, I agree), then the NIPS system can effectively serve as a multi-patch gateway.

If the NIPS product has a signature for 34 of the 42 exploits that could potentially root 180 machines, then putting a network IPS at the bottleneck becomes an alternative to 1. getting cracked, and 2. patching. Make no mistake, though – patching is the better solution, but I recognize that there are sometimes circumstances that prevent good admins from doing their jobs. There are also situations where someone who knows the risks lacks the funding to bring admins aboard that can help them keep their systems in top shape. For either of these cases, network IPS seems like an acceptable evil.

Conclusion

So that’s the gist of it – if you keep your systems up to date and have a solid security team, NIPS is nearly worthless. The things you need to worry about are layering your defenses and preparing for the exploits you don’t know about.

If, however, you’re not getting support from management and you know you’re unable to keep your systems patched like you should – a network IPS may be something to look into. It’s a band-aid, to be sure, but if it keeps your company out of the papers then it very well may be worth it.
--
Daniel Miessler is currently working as a senior information security consultant for a medium-sized California-based company. He holds the CISSP and GSEC security certifications.

Comments
Issue is not wheather IPS is worthyWritten by ratna kumar on 2006-06-16 09:11:47
It's abt how to reduce false positives.IDS/IPS have proved there importance,there is no doubt about it. 
 
vulnerability correlation in IPS will help a great deal in improving them.
Catching the unknowns.Written by John Adamson on 2006-09-04 14:35:28
NIPS like NIDS is not a fire and forget solution. It's strength comes in detecting the use of known vulnerabilities (an ongoing attack). This should attract the attention of a security professional to the source of the attack and hopefully allow them to pick-up on the not known attacks. A fully patched network in which exploit attempts are ignored is just as problematic as using IDS without patching. 
 
Both is good, either can be livable, but none is unforgiveable.
$8 Glasses Eyeglasses, Cheap $8 Glasses Written by good article on 2009-04-01 03:25:30
glasses 
eyeglasses  
eye glasses 
eyewear
gghghWritten by eeee on 2009-05-07 03:44:10
si

Only registered users can write comments.
Please login or register.

Powered by AkoComment!