WIXLIB

Your Network Is a Sitting Duck Without IDPIDS detects a high percentage of false positive or falsenegatives. Still, it is a topic worth consideration whenlooking at different IDS solutions.sion signatures, search for protocol anomalies, detectcommands not normally executed on the network andmore.IPS—An Active Security SolutionOne interesting aspect of NIPS is that if the systemfinds an offending packet of information it can rewritethe packet so the hack attempt will fail, but it meansthe organization can mark this event to gather evidenceagainst the would be intruder, without the intruder'sknowledge. As with all technology, NIPS is not perfect.In some instances you may end up blocking a legitimate network request.IPS or intrusion prevention system, is definitely the nextlevel of security technology with its capability to providesecurity at all system levels from the operating systemkernel to network data packets. It provides policies andrules for network traffic along with an IDS for alertingsystem or network administrators to suspicious traffic,but allows the administrator to provide the action uponbeing alerted. Where IDS informs of a potential attack,an IPS makes attempts to stop it. Another huge leapover IDS, is that IPS has the capability of being able toprevent known intrusion signatures, but also someunknown attacks due to its database of generic attackbehaviors. Thought of as a combination of IDS and anapplication layer firewall for protection, IPS is generallyconsidered to be the "next generation" of IDS.Currently, there are two types of IPSs that are similar innature to IDS. They consist of host-based intrusion prevention systems (HIPS) products and network-basedintrusion prevention systems (NIPS).Network-based vs. Host-based IPSHost-based intrusion prevention systems are used toprotect both servers and workstations through softwarethat runs between your system's applications and OSkernel. The software is preconfigured to determine theprotection rules based on intrusion and attack signatures. The HIPS will catch suspicious activity on the system and then, depending on the predefined rules, itwill either block or allow the event to happen. HIPSmonitors activities such as application or data requests,network connection attempts, and read or writeattempts to name a few.Network-based intrusion prevention systems (oftencalled inline prevention systems) is a solution for network-based security. NIPS will intercept all network traffic and monitor it for suspicious activity and events,either blocking the requests or passing it along shouldit be deemed legitimate traffic. Network-based IPSsworks in several ways. Usually package- or softwarespecific features determine how a specific NIPS solutionworks, but generally you can expect it to scan for intru-5While host-based IPSs are considered to be moresecure than network-based intrusion prevention systems, the cost to install the software to each and everyserver and workstation within your organization may bequite costly. Additionally, the HIPS on each systemmust be frequently updated to ensure the attack signatures are up-to-date.IDS vs. IPSProblems associated with implementing NIPS exist aswell. We already mentioned the possibility of blockinglegitimate traffic, and you also have to take networkperformance into consideration. Since all data movingthrough the network will pass through the IPS it couldcause your network performance to drop. To combatthis problem, network-based IPSs that consist of appliance or hardware and software packages are availabletoday (at a larger cost), but it will take most of the loadfrom running a software-based NIPS off your network.IDS vs. IPSWhile many in the security industry believe IPS is theway of the future and that IPS will take over IDS, it issomewhat of an apples and oranges comparison. Thetwo solutions are different in that one is a passivedetection monitoring system and the other is an activeprevention system. The age-old debate of why youwant to would be passive when you could be activecomes into play. You can also evaluate the implementation of a more mature IDS technology, versus theyounger, less established IPS solutions. The drawbacksmentioned regarding IDS can largely be overcome withproper training, management, and implementation.Plus, overall an IDS solution will be cheaper to implement. Many, however, look at the added benefits of theintuitive IPS systems and believing that IPS is the next 2007, Jupitermedia Corp.

Your Network Is a Sitting Duck Without IDPgeneration of IDS choose to use the newer IPSs asopposed to the IDSs. Adding to the muddle, of course,will be your initial decision of choosing host-based ornetwork-based systems for either IDS or IPS securitysolutions.Much like choosing between standard security deviceslike routers and firewalls, it is important to rememberthat no single security device will stop all attacks all thetime. IPS and IDS work best when integrated with additional and existing security solutions. This content was adapted from internet.com'sWebopedia Web site.6 2007, Jupitermedia Corp.

Your Network Is a Sitting Duck Without IDPEvaluating Intrusion Prevention SystemsBy Bob WalderIPSs are becoming today's must-have security solution but don't deploy blindly; testing on yournetwork is the key to success, writes CIO Update guest columnist Bob Walder of The NSS GroupWith intrusion prevention systems (IPS) fastbecoming as essential a purchase as theubiquitous firewall, the choice is becomingever more bewildering as more and more vendors scurry to bring new products to market.Some of these vendors are coming from a solid IDS(intrusion detection) background, while others areessentially hardware manufacturers (switches or antimitigation devices) that are crossing over into the IPSworld. The resulting products are often quite different.For example, the largelysoftware-based IDS productstend to turn into softwarebased IPS products runningon standard Intel hardware.While performance can beperfectly adequate, you cannever expect them to matchthose ASIC/FPGA-baseddedicated hardware deviceswhich can yield near switchlike latencies, and handle agigabit or more of 64-byte packets without blinking.On the other hand, the new kids on the block might beable to boast superior performance, but they are oftenstarting from scratch when it comes to signature coverage and resistance to anti-evasion techniques; areas inwhich the more established IDS/IPS vendors excel.Of course, these distinctions are disappearing as themarket matures, and in the latest round of IPS testing inour labs we noted a much improved success rate interms of which products passed our stringent tests toachieve NSS Approved awards.7Using hardware accelerators, for example, can providea much needed performance boost for the softwarebased products, whilst sheer experience (along with thecreation or boosting of an internal security researchteam) can usually improve signature coverage andquality in the newer products.Quality vs. QuantityQuality is really the watchword here, rather than quantity. It is possible to throw tens or even hundreds of signatures at a problem whenyou are not limited by hardware performance, but thatdoes not necessarily meanthose signatures are good. Asingle, well-written signature(or protocol decoder) canoften provide much morecomprehensive coverage fora range of exploits.It is important, for example,that signatures are written toJupiterimagesdetect not only the specificexploits currently in the wild, but the underlying vulnerability of which those exploits take advantage. Thus,the next time a new exploit appears riding on the backof that particular vulnerability, it will be detected andblocked immediately without requiring a signature specific to that piece of exploit code.Similarly, it should not be possible to evade the IPSdetection capability by any common means such asURL obfuscation, TCP segmentation, IP fragmentation,and so on.The quality of the signatures will also have a bearing on 2007, Jupitermedia Corp.

Your Network Is a Sitting Duck Without IDPthe susceptibility of the device to raising false positivealerts. With IDS devices, false positives are a nuisance,but only that. With IPS devices, installed in-line and inblocking mode, a false positive can have a detrimentaleffect on the user experience, as legitimate traffic isdropped mistakenly.This is, therefore, a key area to investigate when planning your own trial deployments. All the lab tests in theworld cannot tell you how any IPS product is going toperform when subjected to your traffic on your network.Test, Test, Test This is a key point: no matter how much research youdo using reports such as the ones we produce, youshould never use those reports as the only basis formaking your buying decisions. You should always setaside the time and budget and technical resource toperform a full bake-off in-house between all the vendors on your short-list.This means installing all the devices at key points inyour network (they can be installed in-line in detectonly mode to begin with to minimize problems), and allthe necessary management software. And don't rely onthe single-device Web interface if you know you willeventually need the full-blown enterprise managementproduct.It will never be possible to vet all of the signatures in avendor's database, and it is just a waste of effort to try.Independent testing should give you a good idea ofthe quality and extent of coverage.It is more important to run your own traffic through thedevice and monitor the effects. Are you seeing a largenumber of alerts raised against what you know to belegitimate traffic?This could point to problems with the signature database or could highlight where traffic from custom applications in your own organization genuinely resemblesexploit traffic. The latter case is easily handled, butlarge numbers of false positives from clean traffic indicates a potential problem, especially once the device isplaced in blocking mode.gorize the make-up of traffic on your own network, youmay find that you would be happy with a much lowerperforming device at a much more reasonable cost.Latency can sometimes be a very subjective issue.A device which we identify as having higher than normal latency for internal deployments may well have noeffect whatsoever when installed at the perimeter ofyour network. Do some simple user-based testing, suchas downloading large files both with and without theIPS in-line, and note the difference.At least part of the evaluation period should also beperformed with blocking enabled. It is not unknown fordevices which work perfectly well in detect-only modeto fail completely once placed into blocking mode.While this type of testing could be considered "disruptive," it is better to discover such a failing before committing to a major purchasing decision.You can reduce the risk of nasty surprises and majorfailures during evaluation by short-listing those deviceswhich have achieved NSS Approved status. You can besure that we have tested these devices extensively inline in both detect-only and full blocking mode, with awide range of exploits and evasion techniques, andunder a wide range of network loads and traffic conditions.A thorough bake-off in your own network, however, willallow you to assess more accurately the effect of thesedevices when subjected to your own traffic, and is likelyto create some unique challenges for the vendors taking part. Bob Walder is director of The NSS Group security testing labs in the south of France. With over 25 years inthe industry, he brings broad experience to the testingenvironment.This content was adapted from EarthWeb's CIOUpdate Web site.Performance testing is also important. NSS tests pushdevices to the extreme, but if you can accurately cate8 2007, Jupitermedia Corp.

for threats thatcome out of thin aira veryfine filterThere's a new era in security. Airborne security.It’s a time when businesses need to move as freelyas the air itself, yet avoid the malicious threatsthat contaminate it. Enter Nokia. Our intrusionprevention solutions feature Sourcefire technologythat runs on Nokia appliances, hardened at the corewith the Nokia IPSO security OS. All purpose-builtto detect and filter the most sophisticated threats.It’s time to secure the mobile marketplace.It’s time to secure the air. 2007 Nokia. Use of the word secure is intended to describe the functionality of the product or feature described, and is not intended to extend awarranty to the purchaser or to any end user that the product or feature described is completely secure and invulnerable to random attacks.www.nokiaforbusiness.com/securityNokia for Business

Your Network Is a Sitting Duck Without IDPManaged Intrusion Detectionand Prevention ServicesLisa PhiferISP-Planet's biennial survey of MSSPs finds that intrusion prevention and detection services areaugmented by new devices to deliver unified threat management in several different forms.As network security improves, attackers havesharpened their focus. Today's internet threatshave grown increasingly targeted, using malicious code and crafted application messages to compromise specific server and client vulnerabilities. Duringthe first six months of 2006, Symantec estimates that80 percent of 2,249 new-found vulnerabilities were easily exploitable,with an average enterprise exposureof 28 days before patches wereavailable and applied. Aggressive,rigorous patch management canhelp, but one of the most effectiveand efficient steps you can take todefend those vulnerable hosts is toprevent intrusions from reachingthem in the first place.Network Intrusion DetectionSystems (IDS) are designed toobserve and analyze traffic, spotpotential attacks, and notify networkoperators by sending intrusionalerts. Network Intrusion PreventionSystems (IPS) go a step further, taking steps in real-time to impede theflow of suspicious traffic and therefore limit potentialasset damage or data theft. IDS is generally deployed apassive countermeasure—an insurance policy againstintruders that might otherwise sneak past firewalls. IPSis (at least to some degree) proactive and automated,jumping in whenever perceived risk exceeds a predefined tolerance level.9A managed IDS / IPS service starts with the installationand provisioning of in-line or out-of-band traffic sensorsand an intrusion analysis engine, accompanied byongoing policy refinement, intrusion signature and software updates, and 24/7/365 monitoring by the MSSP'sSOC. Included response can range from customer notification to provider implementationof recommended countermeasures.All but one participant in this year'sManaged Security Service Provider(MSSP) survey offer this type of service, detailed by the chart shown atright (click to view full size).JupiterimagesThe exception is Globix, whichdeclined to include IDS in its surveyresponse but describes a managedIDS service on its Website. In fact,we believe that IDS / IPS hasbecome a core managed securityservice offering. As shown in the following chart (below), IDS / IPS offerings have grown from fewer thanhalf the MSSPs surveyed in 1999 toeffectively all of the MSSPs surveyedthis year.This trend tracks the evolution of network securitythreats, technologies, and best practices. Many firewallsand unified threat management appliances now incorporate some IDS / IPS capabilities. Today's networkfirewalls are simply expected to detect basic TCP/IPattacks, like TCP SYN floods and Ping of Death attacks.Deeper, broader application-layer intrusion detection 2007, Jupitermedia Corp.

Your Network Is a Sitting Duck Without IDPand prevention often involves additional software modules, licensed feature activation, and in some cases,additional hardware sensors.The line between managed firewall and managed IDS /IPS services reflects this layering. Two of our surveyedmanaged firewall services included IDS / IPS features,while ten offered these capabilities as options.Furthermore, all 15 providers described separatelybranded managed IDS / IPS services. Three MSSPs(AT&T, IBM ISS, and Verizon) even offer more than oneIDS / IPS service.For example, AT&T offers three separate services: anetwork-based IDS, a CPE-based IDS, and a CPEbased IPS. As illustrated in this pie chart (below), thisyear's field was evenly split between IDS and IPS offerings. Seven services provide intrusion detection, monitoring, and customer notification-incident response, ifany, is manual. Another seven provide automated intrusion analysis and policy-based response for welldefined threats—customers are notified of intrusionsand stop-loss actions taken on their behalf. The remainder encompass both models within a single namedservice, letting service parameters determine thedesired response model.In fact, we continue to find it difficult to compare intrusion monitoring and response in a tabular survey. Thisyear, we tried asking providers to check one of fouralternatives: Customer monitors own intrusion alerts. Provider passively monitors intrusion alerts andnotifies customer. Provider analyzes and manually responds to alerts. Service responds automatically to intrusions.10Most checked several answers, noting that thisdepends on customer preference, incident severity, andidentification reliability. If an event is clearly identifiedand poses significant risk, automated analysis and realtime countermeasures may be warranted. Potentialintrusions that are less clear-cut may deserve humanreview by SOC experts and consultation with the customer regarding steps to block the offender or eliminate vulnerabilities. Fortunately, even an IPS can usuallystart in detect-only mode, refining prevention rules asyou become more comfortable with the service's accuracy. In short, don't expect easy answers or simplecomparison when it comes to intrusion response. Makesure your MSSP has the experience, infrastructure, andresources to accurately recognize and keep pace withnew threats, a well-defined process for communicatingthem to you, and a response strategy that fits with yourown corporate policy.To identify intrusions, every IDS / IPS service must capture traffic. This year, 13 of 18 surveyed services usepassive/out-of-band platforms, which are typically situated at key points throughout your network. Of those,5 support distributed sensors and 4 support Wi-Fi sensors. These options are used to create additional observation points that can report back to a central server.Alternatively, 14 services use active/in-line platformsthat observe the traffic flowing through them. Not surprisingly, many providers support both passive andactive deployment models, reflecting this year's mix ofdetection/prevention services.IDS/IPS platforms have grown more diverse since ourlast survey, dominated by IBM ISS and Cisco, followedby a noteworthy mix of Juniper, TippingPoint, McAfee,Snort, and Sourcefire. The capabilities of these platforms have a direct impact on traffic inspection, detec 2007, Jupitermedia Corp.

Your Network Is a Sitting Duck Without IDPtion, and response methods. For intrusion detection,most surveyed services still employ some combinationof behavior analysis, signature detection, and trafficanomaly detection. But application layer header andcontent inspection are now supported by just over halfof the surveyed services. As for response methods, inline packet discard, IP quarantine, and TCP reset arestill very common, whether initiated manually or automatically. But this year, five services also had Wi-FiDeauthenticate capability, supported by Wireless IPSplatforms from Cisco, AirDefense, and AirMagnet.In the end, a managed IDS / IPS service comes downto effective risk management. Many businesses thatdeploy their own IDS sensors or IPS-capable UTMappliances do not use those technologies to their fullpotential. Without proper tuning, an IDS can overwhelm you with inconsequential alerts—or overlookserious intrusions because an annoyed administratordisabled those alerts.Outsourcing this burden to well-trained MSSP staffshould reduce false positives and focus your attentionon alerts that matter. Because they monitor intrusionalerts occurring in many customer networks, yourMSSP's SOC should have the broad perspective needed to quickly recognize fast-breaking "zero day"attacks. When intrusions do occur, your MSSP shouldhave the sophisticated event management and correlation tools required to assess impact and recommendeffective countermeasures. For each of these tasks,experience and competence really counts, so lookbeyond feature checklists to choose the best managedIDS / IPS service for your business. This content was adapted from internet.com's ISPPlanet Web site.11 2007, Jupitermedia Corp.

Your Network Is a Sitting Duck Without IDPIntrusion Detection and Prevention—More Essential Than a FirewallBy Manish ParksAs attacks become more sophisticated, you need better tools to protect your enterprise fromthreats—both existing and planned. Where firewalls were the de rigueur solution in the 90s,today you need an Intrusion Detection and Prevention system to make sure your corporate ITassets—and data—remain secure.While corporate assets relocated from brickand mortar to bits and bytes, so too hasenterprise security from cameras and securityguards to intrusion detection and intrusion preventionsystems. While Intrusion Detection and Prevention (IDP)is now staunchly embedded in the enterprise securitytoolkit, it still must adapt to provide more layers ofasset protection against the ever-evolving landscape ofthreats from hackers, spyware and Trojans to rootkitsand keyloggers. IDS/IDP systems continually assesstraffic connections, evaluatingthe source or the communication along with the type oftraffic to determine whether itshould even be permittedinto your network environment. In the best cases, theyhave the power to stop anattack before it ever reachesan internal system or user.User preferences for distributed mobile computing environments combined with thegrowing complexity of corporate networks (intranets, extranets, remote and Internetaccess) provides a would-be attacker a fairly large, target-rich threat surface. In today's enterprise environment a vast majority of corporate intellectual property,sensitive customer information and valua

Intrusion Detection and Prevention System to allow your workforce to get access to the informa-tion they need while at the same time stopping all types of threats, both real and imagined. Contents Intrusion Detection and Prevention 3 All About IPS & IDS Evaluating Intrusion Prevention Systems 7 Managed Intrusion Detection and Prevention Services 9