Intrusion Prevention Whitepaper En

8/9/2019 Intrusion Prevention Whitepaper En

1/12

WHITE PAPER

networkassociates.com

Intrusion Prevention: Myths, Challenges, and RequirementsApril 2003


2/12

2 2003 Network Associates

WHITE PAPER

Table of Contents

I. Introduction......................................................................................................................... 3

II. Myths About Intrusion Prevention.............................................................................................. 4

MYTH 1Intrusion Detection and Intrusion Prevention Are Two Separate Solutions ..................................... 4

MYTH 2Intrusion Prevention Is ALL or NOTHING .............................................................................. 4

MYTH 3Intrusion Prevention Is TCP Kills/Resets or Modify Firewall Rules by IDS....................................... 5

MYTH 4Intrusion Prevention Is Losing Control Over Intrusion Detection and Response ................................ 5

III. Implementation Challenges ...................................................................................................... 5

IV. Requirements for Effective Prevention ....................................................................................... 6

V. Path to Prevention................................................................................................................. 7

VI. McAfee IntruShield Approach.................................................................................................... 8

VII. About McAfee Network Protection Services.................................................................................10

McAfee IntruSheild................................................................................................................... 10

VIII. About Network Associates......................................................................................................10


3/12


WHITE PAPER

I. Introduction

In a recent survey commissioned by VanDyke Software, some 66 percent of the companies said that they perceive systempenetration to be the largest threat to their enterprises. The survey revealed that the top eight threats experienced bythose surveyed were viruses (78 percent of respondents), system penetration (50 percent), DoS (40 percent), insider abuse(29 percent), spoofing (28 percent), data/network sabotage (20 percent), and unauthorized insider access (16 percent).

Although 86 percent of respondents use firewalls (a disturbingly low figure in this day and age, to be honest!), it is clearthat firewalls are not always effective against many intrusion attempts. The average firewall is designed to deny clearlysuspicious trafficsuch as an attempt to telnet to a device when corporate security policy forbids telnet accesscompletelybut is also designed to allow some traffic throughWeb traffic to an internal Web server, for example. Theproblem is that many exploits attempt to take advantage of weaknesses in the very protocols that are allowed through ourperimeter firewalls, and once the Web server has been compromised, this can often be used as a springboard to launchadditional attacks on other internal servers. Once a rootkit or back door has been installed on a server, the hacker hasensured that he will have unfettered access to that machine at any point in the future.

The case has never been clearer for Intrusion Detection Systems (IDS). The computer worlds equivalent to the burglaralarm, the IDS provides valuable backup to the beleaguered firewall system (the equivalent of the locked door). As in thephysical world, our logical burglar alarm provides valuable notification that someone has managed to breach our perimetersecurity measures, and should allow us to determine exactly what happened during the attack, and hopefully provideindications of how the security weakness might be addressed.

However, most IDS systems tend to be reactive rather than proactivethat is, they often have to wait until something hasactually happened before they can raise the alarm. The Intrusion Prevention System (IPS), however, attempts to beproactive, and is designed to stop intrusions dead, blocking the offending traffic before it does any damage rather thansimply raising an alert as, or after, the malicious payload has been delivered. It achieves this by sitting directly in-line withthe network trafficone network port accepts traffic from the external system, and another port transmits it to theinternal system after it has been checked for anomalies or suspicious content. Thus, problem packetsand all subsequentpackets from the same data flowcan simply be discarded within the IPS appliance.

As with IDS systems, IPS products tend to fall into two categories: Host IPS (HIPS) and Network IPS (NIPS). Host IPS productsrely on agents installed directly on the host system being protected, and which interacts closely with the underlyingoperating system and resident services in order to detect and prevent rogue system calls.

The Network IPS (sometimes known as an In-line IDS or Gateway IDS (GIDS)), however, could be thought of a something of ahybrid system, combining features of a standard IDS and a firewall. Like a firewall, the IPS appliance will sport at least twonetwork interfacesone designated as external and one as internal. Some appliances may have more than two in order tomonitor multiple network paths, but the basic requirement is for two interfaces for data and one for management.

Placed in-line in a critical data path, the IPS detection engine examines packets as they pass through the device andprocesses them in a similar manner to an IDS so as to determine which packets are suspicious in nature. If a suspiciouspacket is detected, that packet can be dropped immediately, and all subsequent packets from that particular data streamcan be discarded without further processing. Naturally, an IPS will also raise an alert in the same manner as an IDS, and thisallows the IPS to operate in traditional IDS mode also, useful to enable the administrator to tune the system before

placing it in full-blown prevention mode.

Legitimate packets are naturally passed straight through to the internal interface and on to their intended destination. Auseful side effect of some NIPS products is that as a matter of coursein fact as part of the initial detection processtheywill provide packet scrubbing functionality to remove protocol inconsistencies resulting from varying interpretations ofthe TCP/IP specification (or intentional packet manipulation). Thus any fragmented packets or packets with IP fragmentoverlaps will be cleaned up before being passed to the destination host.


4/12


5/12


WHITE PAPER

MYTH 3 Intrusion Prevention Is TCP Kills/Resets or Modify Firewall Rules by IDSIt is not hard to see where this myth came from. Take a look at the marketing literature of many traditional IDS products

today and you may well see claims that they offer Intrusion Prevention features. Well the only kind of prevention thatcan be provided by a passive IDS device is to send TCP Resets to both ends of the connection once a suspicious packet hasbeen detected, or perhaps to reconfigure an external firewall or router device to ensure that the remainder of the flow isblocked at the network perimeter.

The problem here is that unless the attacker is operating on a 2400 baud modem, the likelihood is that by the time the IDShas detected the offending packet, raised an alert, and transmitted the TCP Resets, and especially by the time the twoends of the connection have received the Reset packets and acted on them (or the firewall or router has had time toactivate new rules to block the remainder of the flow), the payload of the exploit has long since been delivered. Our guessis that there are not many crackers using 2400 baud modems these days.

A true IPS device, however, is sitting in-lineall the packets have to pass through it. Therefore, as soon as a suspiciouspacket has been detectedand before it is passed to the internal interface and on to the protected network, it can bedropped. Not only that, but now that flow has been flagged as suspicious, all subsequent packets that are part of that

session can also be dropped with very little additional processing. Oh, and for good measure, it is also possible to send TCPResets or ICMP Unreachable messages to the attacking host.

MYTH 4 Intrusion Prevention Is Losing Control Over Intrusion Detection and ResponseBy now, hopefully we have explained enough to show that this is simply not true. Providing the IPS device has beendesigned properly, it should actually offer more in the way of intrusion detection and response than any basic IDS product.With careful designusually involving custom hardware and ASICS for the highest levels of performance when operating inin-line modethe IPS device can provide detection capabilities that are every bit as good as the best passive IDS. Inaddition, only an in-line IDS can block all IP/ICMP/TCP/UDP based malicious traffic from reaching the intended target hostswith complete reliability and/or scrub non-conforming packets to defeat many DoS or reconnaissance attempts.

Most customers wish to deploy the IDS in the Intrusion Detection Mode (sniffing mode) initially and then migrate to theIntrusion Prevention mode (in-line mode).

III. Implementation Challenges

There are a number of challenges to implementing an IPS device that do not have to be faced when deploying passive-modeIDS products. These challenges all stem from the fact that the IPS device is designed to work in-line, presenting a potentialchoke point and single point of failure. If a passive IDS fails, the worst that can happen is that some attempted attacks maygo undetected. If an in-line device fails, it can seriously impact the performance of the network. Perhaps latency rises tounacceptable values, or perhaps the device fails closed, in which case you have a self-inflicted Denial of Service conditionon your hands. On the bright side, there will be no attacks getting through! But that is of little consolation if none of yourcustomers can reach your e-commerce site.

Even if the IPS device does not fail altogether, it still has the potential to act as a bottleneck, increasing latency andreducing throughput as it struggles to keep up with up to a Gigabit or more of network traffic. Devices using off-the-shelf

hardware will certainly struggle to keep up with a heavily loaded Gigabit network, especially if there is a substantialsignature set loaded, and this could be a major concern for both the network administratorwho could see his carefullycrafted network response times go through the roof when a poorly designed IPS device is placed in-lineas well as thesecurity administrator who will have to fight tooth-and-nail to have the network administrator allow him to place thisunknown quantity amongst his high performance routers and switches. Dropped packets are also an issue, since if even oneof those dropped packets is one of those used in the exploit data stream it is possible that the entire exploit could bemissed. Most high-end IPS vendors will get around this problem by using custom hardware, populated with advanced FPGAs


6/12


WHITE PAPER

and ASICsindeed, it is necessary to design the product to operate as much as a switch as an intrusion detection andprevention device.

It is very difficult for any security administrator to be able to characterize the traffic on his network with a high degree ofaccuracy. What is the average bandwidth? What are the peaks? Is the traffic mainly one protocol or a mix? What is theaverage packet size and level of new connections established every secondboth critical parameters that can havedetrimental effects on some IDS engines? If your IPS hardware is operating on the edge, all of these are questions thatneed to be answered as accurately as possible to prevent performance degradation. However, if the IPS device is rated atGigabit wire speeds and beyond, none of this matterssimply drop the device in-line, safe in the knowledge that allnormal traffic will pass through transparently.

Another potential problem is the good old false positive. The bane of the security administrators life (apart from the scriptkiddie, of course!), the false positive rears its ugly head when an exploit signature is not crafted carefully enough, suchthat legitimate traffic can cause it to fire accidentally. While merely annoying in a passive IDS device, consuming time andeffort on the part of the security administrator, the results can be far more serious and far reaching in an in-line IPSappliance. Once again, the result is a self-inflicted Denial of Service condition, as the IPS device first drops the offendingpacket, and then blocks the entire data flow from the suspected hacker. If the traffic that triggered the false positive alertwas part of a customer order, you can bet that the customer will not wait around for long as his entire session is torn downand all subsequent attempts to reconnect to your e-commerce site (if he decides to bother retrying at all, that is) areblocked by the well-meaning IPS.

In some respects, performance and detection capabilities are the least of the problems facing the administrator taskedwith deploying these devices. The problem with any Gigabit IPS/IDS product is, by its very nature and capabilities, theamount of alert data it is likely to generate. On such a busy network, how many alerts will be generated in one workingday? Or even one hour? Even with relatively low alert rates of ten per second, you are talking about 36,000 alerts everyhour. That is 864,000 alerts each and every day. The ability to tune the signature set accurately is essential in order tokeep the number of alerts to an absolute minimum. Once the alerts have been raised, however, it then becomes essentialto be able to process them effectively. Advanced alert handling and forensic analysis capabilitiesincluding detailedexploit information and the ability to examine packet contents and data streamscan make or break a Gigabit IDS/IPSproduct.

IV. Requirements for Effective Prevention

OKhaving pointed out the potential pitfalls facing anyone deploying these devices, what features are we looking for thatwill help us to avoid such pitfalls?

In-line operationOnly by operating in-line can an IPS device perform true protection, discarding all suspect packetsimmediately and blocking the remainder of that flow.

Fine-grained granularity and controlFine-grained granularity is required in terms of deciding exactly whichmalicious traffic is blocked. The ability to specify traffic to be blocked by attack, by policy, or right down to individualhost level is vital. In addition, it may be necessary to only alert on suspicious traffic for further analysis andinvestigation.

Unquestionable detection accuracyIt is imperative that the quality of the signatures is beyond question, since false

positives can lead to a Denial of Service condition. The user MUST be able to trust that the IDS is blocking only the userselected malicious traffic. New signatures should be made available on a regular basis, and applying them should bequick (applied to all sensors in one operation via a central console) and seamless (no sensor reboot required).

Advanced alert handling and forensic analysis capabilitiesOnce the alerts have been raised at the sensor andpassed to a central console, someone has to examine them, correlate them where necessary, investigate them, andeventually decide on an action. The capabilities offered by the console in terms of alert viewing (real time andhistoric) and reporting are key in determining the effectiveness of the IPS product.


7/12


WHITE PAPER

Reliability and availabilityShould an in-line device fail, it has the potential to close a vital network path and thus,once again, cause a DoS condition. An extremely low failure rate is thus very important in order to maximize up-time,and if the worst should happen, the device should provide the option to fail open or support fail-over to another sensor

operating in a fail-over group (see below). In addition, to reduce downtime for signature and protocol coverageupdates, an IPS must support the ability to receive these updates without requiring a device reboot. When operatingin-line, sensors rebooting across the enterprise effectively translate into network downtime for the duration of thereboot.

High performancePacket processing rates must be at wire speed under real-life traffic conditions, and the devicemust meet the stated performance with all signatures enabled. Headroom should be built into the performancecapabilities to enable the device to handle any increases in size of signature packs that may occur over the next 3years.

Low latencyWhen a device is placed in-line, it is essential that its impact on overall network performance isminimal. Packets should be processed quickly enough such that the overall latency of the device is as close as possibleto that offered by a layer 4 device such as a firewall or load-balancer.

ResilienceActive-Active stateful fail-over with cooperating in-line sensors in a fail-over group will ensure that the IPSdevice does not become a single point of failure in a critical network deployment.

V. Path to Prevention

As we mentioned earlier in this paper, a well-designed IPS appliance would allow an administrator to progress from workingin pure IDS mode to pure IPS mode in a number of easy-to-handle phases:

Phase IDetection/No Prevention: The device operates in passive IDS mode connected to a switch SPAN port or tapdevice in order to monitor traffic. Multiple ports on the IPS appliance would allow it to monitor multiple segments witha single device, simplifying deployment and management. This stage offers intrusion detection only, with noprevention.

Phase IIIn-line Detection/No Prevention: One pair of ports is combinedone designated internal and oneexternalin order to provide an in-line capability. Although the device is in-line, we are still operating in pure

detection mode, with none of the policies configured to block traffic. This offers little practical advantage over phaseone in terms of detection/prevention capabilities, though it does provide a degree of comfort to the administrator thatnormal traffic is being passed unmolested. The one advantage that is offered by this mode of deployment is that alltraffic passing through the device is protocol-scrubbed, ensuring that it complies with the relevant RFCs andacceptable practices and that no strange evasion or obfuscation techniques are being used. In addition, the securityand the networking teams build confidence about the devices ability to support network and business applicationswithout introducing new troubleshooting issues or failure.

Phase IIIDetection and Selective Prevention: Once in-line mode has been verified to be working correctly, theadministrator can monitor the alert logs to determine the effectiveness of the intrusion detection policies. Initially, hemay wish to select a subset of the most serious signaturesthose which he is sure are not subject to false positivetriggersand enable blocking on those signatures alone. The device can be run for some time in this mode, withprevention being provided on the most serious exploits, and full detection capabilities operating on all others. If theproduct has been designed correctly, it should continue to offer complete intrusion detection capabilities even whenoperating in partial IPS mode. Further, the administrator can also flexibly configure selective blocking for incoming

exploits before proceeding to block outgoing attacks.

Phase IVDetection and Broad Prevention: Having proved the effectiveness of the device and tuned the securitypolicies over time, the administrator can feel confident in switching on blocking for all signatures except for thosewhich have proven to be susceptible to false positives. These remaining signatures will either be disabled completelyor will remain in detection-only state where it is deemed that there is still sufficient risk of genuine attack traffic,which may trigger those signatures. In all other respect, the device is operating in full prevention mode, discarding allsuspicious packets immediately and blocking the subsequent data flows.


8/12


WHITE PAPER

Once the administrator has gained the confidence to switch on the broadest possible blocking in in-line mode there are anumber of benefits to be gained:

The attack is prevented from reaching the target host, which not only avoids the inconvenience of down-time on thetarget host, but also avoids the need for post-attack incident analysis and clean-up.

The administrator can immediately turn on in-line blocking for a newly discovered attack, thus giving the security staffenough time to patch the vulnerable hosts.

Minimize down time for mission critical hosts and applicationspotential attacks and DoS attempts will never actuallyreach the target hosts.

Prevent IDS evasion and OS fingerprinting through Protocol Scrubbing (Protocol Normalization)the administrator canbe sure that all traffic which passes through the IPS device onto the internal network conforms exactly to theappropriate RFCs or acceptable practices for that protocol.

With prevention in place, administrators can perform further trend and forensic analysis on various alerts on forensiclogs to continuously enhance the security posture of the organization.

VI. McAfee IntruShield Approach

In order to handle multiple segments of traffic at Gigabit wire speeds the McAfee IntruShield sensors make extensive useof dedicated, purpose-built, proprietary hardware that provides the performance required to accurately detect and thenprevent network intrusions at wire-speed without packet loss. IntruShield has been designed and built from the ground upas an Intrusion Prevention System.

Almost every task undertaken by IntruShield systems benefits from hardware acceleration. For example, IntruShieldssignature processing capabilities require hardware to accelerate repetitive signature detection tasks, such as stringmatches. As a result, the IntruShield architecture can theoretically support thousands of attack signatures at multi-gigabitdata ratesand at the same time continue to detect and prevent first-strike and Denial of Service assaults.

Unlike most IDS sensors, which work purely in promiscuous mode (100Mbit) or which are designed to be connected directlyto a SPAN port or tap (Gigabit), the IntruShield offers multiple methods of monitoring traffic:

SPAN or Hub ModeIntruShield sensors can connect to the SPAN port of a switch or to a port on a hub, thus operatingin port mirroring mode. When monitoring through use of SPAN or a hub, the I-2600s internal tap is disabled. The I-2600can monitor up to eight SPAN connections, while the I-4000 can monitor up to four.


9/12


WHITE PAPER

Tap ModeThe I-2600 has six 10/100 ports, each with internal full-duplex taps. The I-2600 also has two GBIC ports,which require external taps. Two wire-matched ports, called a port pair, operate together to enable full-duplextransmission, and the internal taps fail-openthat is, traffic continues to flow if the sensor fails. The I-2600 can

process up to 600 Mbps of aggregate traffic. The I-4000 sensor in external tap mode works the same way as the I-2600in external tap mode, and the sensor can receive 1Gbps of traffic from each tap port. Up to 2 Gbps of aggregate trafficcan be processed by the IDS engine.

Port ClusteringThis allows traffic monitored by multiple ports on a single IntruShield system to be aggregated intoone traffic stream for state and intrusion analysis. This feature is especially useful in environments with asymmetricrouting, where request and response packets may traverse separate network paths. A single IntruShield system canmonitor multiple links and maintain accurate and complete state information.

In-line ModeWhen placed directly in the path of a network segment, the I-4000 sensor processes up to 2Gbps ofaggregate traffic for security violations in real time. Traffic passes through the detection engine, is checked, and isthen sent back to the network. The four-port I-4000 can monitor two full-duplex segments in in-line mode.

A single appliance can also support hybrid deployment modes. For example, an I-2600 deployed at the network perimeter,could be in full-duplex tap mode and alerting on two pairs of ports (outside firewall and DMZ) and configured to be in-lineand selectively blocking worms inside the private LAN.

Multiple ports can be combined or configured to perform different tasks, providing unprecedented deployment flexibilityand allowing the IntruShield sensors to easily handle multiple Gigabit segments. Another area which demonstrates theunparalleled flexibility of IntruShield is in the use of Virtual IDS (VIDS). Up to 1000 VIDS can be defined across all the portson the device, and each one can be assigned a unique policy if required. VIDS can be defined based on a block of IPaddresses (a CIDR block), or on one or more VLAN tags. IntruShield sensors can process these segments of data and applymultiple traffic policies for the multiple subnets transmitting across a single wire, right down to policies protectingindividual hosts.

IntruShield supports fail-open, Active-Active stateful failover to deliver high reliability and availability. The IntruShieldsensors can also take advantage of new signature updates without the need for a sensor reboot without losing state orterminating existing flows.

Attack coverage has been proven in several independent tests to be one of the broadest and most accurate available in an

IPS device, allowing IntruShield to function as a pure IDS device if required, with an extremely high recognition rate. Theaccuracy and scope of the signatures also enables the security administrator to have a high degree of confidence inIntruShields operation in IPS mode.

With DoS attacks, the sensor is automatically in learning mode by default, allowing it to monitor the normal network trafficfor a period of time so that it is able to determine what constitutes an abnormal flood. For those administrators who wouldprefer to have more manual control over the DoS detection process, it is also possible to switch to threshold mode, wherehe can set the threshold level and interval for individual DoS attacks. Sophisticated administrators can also enable learning-based and threshold-based detections simultaneously to achieve the best trade-off between accuracy and coverage.

Management is extremely flexible and scalable, and the Admin Domains and User Roles features make it easy to delegatethe most fine-grained control across the largest organization. Policy definition is also flexible, with a rule-based systemallowing for definition of extremely complex policies, which can then be deployed to all sensors across a corporate networkin a single operation. Once policies have been activated, the Java-based console provides advanced alert handling andforensic analysis capabilities too.

The IntruShield IDS system supports wire-speed performance in high-speed networks without packet loss. Severalindependent IDS tests have validated the ability of the IntruShield 4000 to sustain multi-gigabit data throughput. Inaddition, the IntruShield sensors have very low latency (in the order of microseconds) when deployed in real-life networks.


10/12


WHITE PAPER

IntruShield also provides a solution for every budget. Starting with the I-2600 at just $5,000 per port, the ability to supportmultiple ports and monitor multiple 100Mbit or Gigabit segments using a single device brings the per-port cost down toprices which rival that of almost any competing product in this market place.

In Summary, the award-winning next-generation IntruShield IDS:

Dispels the myths about intrusion prevention and provides a pragmatic approach to intrusion detection and prevention

Overcomes the implementation challenges with a purpose-built appliance designed to address the limitations of legacyIDS

Delivers on the effective requirements for intrusion prevention with accurate detection, comprehensive attackcoverage, fine-grained policy control per attack and target

Uniquely provides a seamless path to intrusion prevention in multiple phases to enable administrators to obtain asecurity ROI with ease and confidence.

VII. About McAfee Network Protection Services

McAfee Network Protection Solutions keep both large and smaller distributed networks up and protected from attacks. Best-of-breed network protection solutions in the portfolio include the Sniffer Network Protection Platform for performancemanagement and fault identification, InfiniStream performing security forensics on network activity, Network PerformanceOrchestrator (nPO) for centralizing and managing network activity, and McAfee IntruShield delivering network-based intrusionprevention.

McAfee IntruShield

McAfee IntruShield, a part of Network Associates McAfee Network Protection Solutions family of products, is a unique cutting-edge technology that prevents intrusions on the wire before they hit critical systems. Highly automated and easily managed,McAfee IntruShield is designed with such flexibility that it can be implemented in a phased approach - that overcomes the falsepositives inherent with todays legacy intrusion detection systems - and thus enables you to develop the right policy for blockingin your unique IT infrastructure. For example, you can deploy in-line to notify and block known attacks, and to notify-only onunknown attacks. Or you can implement complete blocking but just for business-critical network segments. IntruShield isdelivered in a high-speed appliance which is able to scan traffic and assess threat levels with blinding speed, even on gigabitnetworks. It can be used at the edge or in front of key core resources. IntruShield has been crafted to satisfy both thesecurity and network administrators as it stops a wide range of network attacks but does so with network latencies typically lessthan 10 milliseconds. IntruShield also looks for anomalous behavior and includes specialized analysis to find new denial ofservice mass attacks.

VIII. About Network Associates

With headquarters in Santa Clara, Calif., Network Associates, Inc (NYSE: NET) creates best-of-breed computer securitysolutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks andthreats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfeeNetwork Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offerscomputer security to large enterprises, governments, small and medium sized businesses, and consumers. These two productportfolios incorporate Network Associates leading McAfee, Sniffer and Magic product lines. For more information, NetworkAssociates can be reached at 972-963-8000 or on the Internet at http://www.networkassociates.com/.


11/12


WHITE PAPER

Comment by Bob Walder, Director, The NSS Group

This is a very interesting market place and things are moving very quickly indeed. No sooner have we started to notice abroader adoption of Intrusion Detection Systems (IDS) than we are already seeing them referred to as legacy systems.

IDS vendors are fighting back, of course, by claiming intrusion prevention capabilities of their own, and the resultingmarketing spin put on by both parties can only serve to muddy the waters for the poor security administrator tasked withdetermining which is the best product for his or her environment. It is important to remember, however, that IDS deviceswere never designed with IPS in mindthey are detection mechanisms, not prevention. It is a little harsh to beat them upover an inability to prevent attacksthats like buying a pair of Wellington boots and then moaning that they dontprevent your head from getting wet in the rain!

Unless a device is placed in-line, it is extremely difficult to perform any kind of guaranteed prevention. In most cases,sending TCP resets or reconfiguring firewalls are ineffective prevention mechanismsby the time the response has beencompleted the exploit payload has probably been delivered. The only way to stop a packet (and the rest of the data flow

to which it belongs) dead in its tracks is to operate in-line.

There are a number of features that we would consider essential in a true IPS product. Probably the most important is theability to operate in in-line mode. This may seem like a superfluous requirement given the nature of the product, butsince some IDS vendors are claiming intrusion prevention capability in their marketing campaignswhich turns out to benothing more than sending TCP reset commands across the wire or reconfiguring a perimeter firewallthen it is animportant distinction to make up front.

The problem with working in-line, of course, is that there is always the potential to affect performance and reliability ofthe rest of the network. If the IPS device fails open, the worst that can happen is that you miss an exploitif it failsclosed, you could cut off all external access to and from your network completely. Reliability is therefore essential. TheIPS appliance must offer the maximum up-time possible, and should not require a reboot to apply signature updates.Given that it can represent a single point of failure, it would be nice if it offered some form of failover mechanism forthose sites that need guaranteed 100% availability.

As far as performance is concerned, the wish list would have zero packet loss and zero latency at the top. Zeropacket loss under all normal loads is essential, of course, if the device is not to run the risk of missing exploit packets.Unfortunately, given the amount of processing that these devices have to perform for the majority of the packets passingthrough them, increased latency is something we will have to live withbut at least it should be kept to a minimum.

Finally, broad and accurate signature coverage is also essential. Bear in mind that if you are going to place your IPS devicein-line and turn on the blocking mechanism, you had better be pretty confident that the signatures you have deployed arenot prone to false positives. If you do not want to run in blocking mode, or if you want to block only a selected subset ofsignatures, then you still require a signature set that is comprehensive enough to allow the device to operate as aneffective IDS.

There are other key requirements which are common to both IPS and IDS devices of coursea good alert handling andreporting mechanism, centralized management and configuration, flexible policy definition and deployment, and regularly

updated signature sets, to name but a few.

The NSS Group has produced a number of independent group test reports on IDS and IPS technologies which can beobtained via their Web site at www.nss.co.uk


12/12


WHITE PAPER

All Network Associates products are backed by our PrimeSupport program and Network Associates Laboratories. Tailored to fit

your companys needs, PrimeSupport service offers essential product knowledge and rapid, reliable technical solutions to keepyou up and running. Network Associates Laboratories, a world leader in information systems and security, is your guarantee ofthe ongoing development and refinement of all our technologies.

Network Associates, Sniffer, Network Performance Orchestrator (nPO), nPO Manager, nPO Visualizer, and PrimeSupport are either registered trademarks ortrademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. Sniffer brand products are made only by Network Associates, Inc.All other registered and unregistered trademarks in this document are the sole property of their respective owners. 2003 Networks Associates Technology, Inc.All Rights Reserved. 6-av-ins-inp-001/0603

Documents

Intrusion Prevention Whitepaper En