Intrusion Prevention Systems (IPS)

8/2/2019 Intrusion Prevention Systems (IPS)

1/18

W H I T E P A P E R

In trusion Prevent ion Systems ( IPS)Par t one:

Deciphering the inl ine Intrusion Preventionhype, and working toward a real-world,

proact ive securi ty so lu t ion

Secure Computing Corporation

Corporate Headquarters

4810 harwood road

san jose, ca 95124 usa

tel +1.800.379.4944

tel +1.408.979.6100

fax +1.408.979.6501

www.securecomputing.com

European Headquarters

east wing, piper house

hatch lane

windsor sl4 3qp uk

tel +44.1753.410900

fax +44.1753.410901

Asia/Pac Headquarters

801 yue xiu bldg.

nos. 160-174 lockhart rd.

wanchai hong kong

tel +852.2520.2422

fax +852.2587.1333

Japan Headquarters

level 15 jt bldg.

2-2-1 toranomon minato-ku

tokyo 105-0001 japan

tel +81.3.5114.8224

fax +81.3.5114.8226

2003 Secure Computing Corporation. All Rights Reserved. 08/20/03 and SCC082003. Secure Computing, SafeWord, Sidewinder, SmartFilter, Type Enforcement, SecureOS,and Strikeback are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2Firewall, Sidewinder G2, G2Enterprise Manager, Application Defenses, PremierAccess, MobilePass, Power-It-On!, enterprise strong, On-Box, Plug into a positive Web experience, and Protecting the worlds most

important networks are trademarks of Secure Computing Corporation.


2/18

W H I T E P A P E RIn t rus ion Preven t ion Sys tems ( IPS) , par t one

2

W H I T E P A P E R

Abs t rac tProtecting networked applicationsfrom attackers that threaten application availability, data-base integrity,data-presentation integrity, and data privacy is on the forefront of IT security professionals' minds today. Theterm Intrusion Prevention has recently moved to the top of the buzz-factor charts in the security world, hencemost security and IT professionals are becoming interested in learning more about it as quickly as possible. To

begin understanding what the buzz about Intrusion Prevention is really all about, we need to begin by agreeingthat the term itself can mean different things depending upon who is doing the talking. Remember SSO, PKI,and IDS? Todays high buzz-factor three letter acronym, IPS (Intrusion Prevention System), joins a long line ofnext-generation security-technologies that promised to lead us to a higher level of security nirvana and peace ofmindso be advised.

Because of the confusion around the term Intrusion Prevention, it is important to organize and accuratelydescribe the role and capabilities desired in order to understand what problems an Intrusion Prevention productmight solve. This roughly breaks down to where in the network intrusions are prevented and how.

There are basically two types ofIntrusion Prevention being discussed in the market place today: host-based andinline (network-based). This paper deals exclusively with the notion of inline security. The paper also discussesthe nature of known and unknown threats and how dealing with both is the ultimate goal for IT security.Dealing with known application-specific threats is the focus ofIntrusion Prevention, and preventing both knownandunknown threats is the focus ofApplication Defenses, a term we also discuss in this paper.

The goal of this paper is to offer insightful views of new terminology in the context of evolving application-level threats andthe long list of both legacy and new security products that are re-shaping quickly around theterminology. The paper provides common-sense clarity and is written for busy security and IT professionalsthat need to quickly find their way though the latest hype to determine what, if anything, to do about it. Itconcludes with five simple ways to evaluate new emerging vendors and their proposed security solutions for anytype of organization.


3/18

T A B L E O F C O N T E N T S

3

Summary of key points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

So, what then should organizations do to qualify their needs for ApplicationDefenses and Intrusion Prevention? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Intrusion Prevention: revolution or evolution? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

IT security is evolution by definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

The obvious need behind the Intrusion Prevention hype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

IT security ultimately needs to provide protection against known and unknown threats . . . . . . . . . .6

Characteristics of new application-level attacks that are driving security technology innovation . . .7

What is an In tr us ion Prevention System? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Intrusion Prevention Systems (IPS) defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

What do the analys ts say about IPS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Intrusion Prevention signals evolution from a reactive to a proactive security model . . . . . . . . . . .8

What s out there now and what can it do for meor not? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Products currently available trying to provide parts of Intrusion Prevention . . . . . . . . . . . . . . . . .9

The security market is segmented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Developing an Intrusion Prevention System is not an easy task . . . . . . . . . . . . . . . . . . . . . .10

The IPS buzz word is closely associated with new emerging companies and products . . . . . . . . .10

What about IDS (Intru sion De tect ion Systems)? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Emphasis on performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Trade-offs with ASICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Appl icat ion Defenses defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

What are Appl icat ion De fenses? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Why fi rewa ll s wi th Appl icat ion Defenses are the home fo r IPS . . . . . . . . . . . . . . . . . . . . . . .14

The state of IPS technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Long-term goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Challenges to reaching these goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

A pragmatic view of the fu ture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Evaluating options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Security matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Current investments matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Track record matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Relationships matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Your needs matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Glossary of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17


4/18


4

Summary o f key po in t sI n t r u s i o n P r e v e n t i o n S y s t e m s The world of IT security is continuously evolving. Deciphering new buzzwords like Intrusion Prevention

in the context of that continuous evolution can be helpful in evaluating your existing enterprise security

strategies. The multi-layered, defense-in-depth approach to IT security continues to be validated as the industry evolves.

It does not appear that this next evolutionary cycle is moving away from a layered defense-in depth approach.It appears, instead, to be more about how existing defense technologies are organized into new or modifiedproducts and services.

Intrusion Prevention evolves from a number of existing security technologies; it is not a revolutionary newapproach to network security.

Intrusion Prevention, like anti-virus and IDS (Intrusion Detection Systems), targets known attacks forprevention. New attacks are quickly analyzed by an IPS service provider. After the attacks signature hasbeen identified, it is added to an IPS look-up database.

Conventional practices recommend that IT security teams keep systems current and patched to the latestlevels, yet in reality, this is an unachievable goal. So, the traditional thought processes on how to maintain ahigh state of security for networked applications is being questioned and re-aligned.

This shift in focus from simple stateful-inspection access control firewalls to deep-packet inspection intru-sion-preventing firewalls signifies an accelerated transition from a reactive to a proactive security posture.

There are a number of emerging new security companies (all pre-IPO) focusing their message on IntrusionPrevention, but only for one protocol: HTTP. The traditional multi-protocol security firewall companies areadjusting their marketing/positioning as a result, and some of them claim to be building new technology.

There will likely be mergers, acquisitions, and the inevitable liquidations coming in the near future to thisnewIntrusion Prevention area of the IT security market place.

Enterprises are well served to examine carefully what specific needs they have in the context of changingrequirements.

The only successful inline networking components that have proven to prevent attacks are firewalls andanti-virus gateways. The firewall is the natural platform for Intrusion Prevention because it is the only gatewayarchitecture that incorporates time-proven multi-protocolApplication Defenses, including anti-virusscanning, in an integrated policy-based approach.

Intrusion Prevention might be the flavor of the week, but products that continually prove their ability toprovide comprehensiveApplication Defensesare the most suitable for inclusion in your IT security strategy.

S o , w h a t t h e n s h o u l d o r g a n i z a t i o n s d o t o q u a l i f y t h e i rn e e d s f o r A p p l i c a t i o n D e f e n s e s a n d I n t r u s i o n P r e v e n t i o n ?Talk to the security vendors you trust and with whom you have a strong relationship and discuss their

thinking about and their roadmap forApplication Defenses. Have them help you distinguish between the hypeand the reality.

Understand technically how their product might protect your network against new emerging threats inpractical context. For example: ask how your offering could potentially stop the Code Red, Nimda, or SQLSlammer of tomorrow.

Move cautiously before putting an unproven system into production. Experiment with new entrant productsin a lab or in front of non mission-critical networked applications.


5/18


5

I n t roduc t ionI n t r u s i o n P r e v e n t i o n : r e v o l u t i o n o r e v o l u t i o n ?The security term, Intrusion Prevention, that has recently shown up in the lexicon of the security industry iscertainly more than a magic marketing incarnation. However, it is definitely not describing a revolutionary new

security technology. To describe Intrusion Prevention as revolutionary, one would have to have a limited view ofthe security products market. Intrusion Prevention, as understood in this paper, encompasses aspects of manywell-known, existing security technologies including anti-virus, intrusion detection, firewall, and employeeInternet access filtering (to name just a few of the most obvious examples). Therefore, as much as some market-ing professionals will try to make you believe that Intrusion Prevention is the next great leap forward, revolutionsrarely occur in the security world. Rather, evolution is clearly the more dominant method of change. And, evenwhen new security technologies do occasionally demonstrate seemingly solid evidence of being revolutionary,which does happen of course, the technologies rarely succeed in the real world. Such is the world of IT security.This recent morphing of various security concepts, technologies, and terms into Intrusion Prevention is worthpaying attention too, but dont look for the world to change too much in the immediate future as a result.

I T s e c u r i t y i s e v o l u t i o n b y d e f i n i t i o nA classic truism in the security businessbe it building vaults for banks, fences for nuclear power plants, orsoftware for computer systemsis that you cannot avoid the ever-escalating threat-countermeasure cycle ofprotection. For example, you build a vault to store your money in that seems impossible to break into. Ofcourse, it is not. Someone eventually finds a vulnerability that the designers never thought of and a new securitythreat to bank-vault design emerges. In response, the bank vault manufacturing industry makes the doorsthicker, or the locks more complicated, or modifies the design in whatever way seems prudent to minimizethe vaults vulnerability to this newest known threat. The changes in the vaults design are made as quicklyas possible and represent what is called countermeasures. This classic security cycle is termed the threat-countermeasure cycle. Secure Computing often refers to this as the react-and-patch cycle, and users of Microsoftsoftware in particular are well aware of this attack-du-jour, never-ending process. All of todays IT securityproducts more or less develop in this evolutionary way, and our highly competitive security product markets

evolve this way as well.

The obvious need behind the Intrusion Prevention hypeThe buzz around the term Intrusion Prevention is being driven by the marketing efforts of some new emergingpre-IPO companies, some startling coverage that the topic is getting from analysts such as Gartner, and ofcourse, the press. New Web firewall products are beginning to be evaluated and the discussion is heating up. Ahigh percentage of traffic today is being driven through Port 80, the Web port, and most commodity firewallslack the ability to apply application layer policy enforcement on that big volume of traffic. For now, Port 80 hasbecome the symbol of a critical deficiency in simple stateful inspection firewalls because of the success of recenthigh-profile attacks, Code Red among them, and the acceleration of Web Services B2B deployments that tunnelSOAP objects through Port 80.

Chief Information Officers and Chief Information Security Officers are presently analyzing whether or notthey need to put in place additional counter measures for a whole new class of impending application-specificthreats in light of the reality that they have deployed screening firewalls, anti-virus software, and intrusiondetection systems on their networks, but still feel vulnerable. In the face of this rising threat, risk has to be morethoroughly evaluated and mitigation plans better thought out for further augmenting current systems. Thedemand for more open access, consumer concerns, and increased regulations are all on the rise. Hence, securityprofessionals are looking to add the required security to support business-unit demands:


6/18


6

Business-line managers are pushing for more open access to corporate applications in efforts to achievehigher productivity.

Extranet access points via IPsec and the so called client-less VPNs are being hooked-into networkperimeters to extend services to an increasingly mobile and distributed work force.

The consumer is experiencing hacker-induced denials of service to online store fronts causing frustration

and lack of confidence in doing transactions on the Internet. Credit cards numbers and other private dataare also being stolen.

Wide spread public privacy concerns have spurred new regulations in the healthcare and the legalcommunities, including HIPAA (Health Information Portability and Accountability act), Graham-Leach-Bliley (GLB), and Sarbanes-Oxley, to name a few examples. Lawmakers are requiring more accountabilityfrom those who are required to provide information security and privacy.

As a result of the demand to protect our systems, companies and government agencies are highly motivated toaddress the issue. Established security vendors in the firewall and IDS segments are examining their productsand rethinking their messaging. Companies that build Web farm High Availability (HA) load-balancing systemsare even being encouraged by some market forces to see what they might have to offer to address new threats tonetworked applications. New companies are also emerging (pre-IPO) with products intended to provide quick,

singular fixes. The intentions are generally good and progress is being madebut an overriding solution is notyet here. This paper discusses the progress and the limitations of what is available today, as well as discusseswhats needed for a true, all-encompassing solution in the futureand what is needed to get us there.

I T s e c u r i t y u l t i m a t e l y n e e d s t o p r o v i d e p r o t e c t i o n a g a i n s t k n o w n a n d u n k n o w n t h r e a t sAs new threats evolve, security professionals must face challenges on several fronts:

1. Provide protection against known application-specific threats slipping through commodity firewalls thatcant see application-specific attacks (Intrusion Prevention). Anti-virus gateways supported by virus signaturedatabases and update services provide some protection today, but more is needed.

2. Provide more granular filtering protections for allprotocols, not just HTTP (multi-protocol IntrusionPrevention). Some of these types of threats are currently being addressed by hybrid-applicationproxy firewalls.

3. Solve the high instance of false-positives and false-negatives associated with the IDS solutions of today.Leading IDS vendors are working aggressively to address current shortfalls.

4. Provide application-specific filtering, blocking, and validating techniques with granular content controls forthe purpose of eliminating as many known and unknown attacks as possible. Purpose is to reduce the risk ofunknown threats becoming the next known Code Red in the news (Application Defenses). Hybrid firewalls,capable of layer 3 to layer 7 security mechanisms will provide the most likely foundation for progress here.

5. Scale for high-bandwidth requirements. Progress here will include performance improvements in off-the-shelf

hardware, programmable network interface cards, ASICs-based (application-specific integrated circuit-based)gateways, and better management tools for high-capacity clustered gateway solutions.

These objectives pose a tall order and the industry is part of the way there. Some systems are in place now toaddress portions of items 1, 2, and 3, and certain models in existence today provide the frame work foraddressing items 4 and 5. Making progress in all of these areas will be an evolutionary process, and our intent inthis paper is to provide insight into what is available today (pros and cons), and how the evolution to the nextlevel is likely to develop in the future.


7/18


7

C h a r a c t e r i s t i c s o f n e w a p p l i c a t i o n - l e v e l a t t a c k s t h a t a r ed r i v i n g s e c u r i t y t e c h n o l o g y i n n o v a t i o nSecurity systems are being pushed forward because e-business initiatives are stretched beyond their natural capa-bilities. This stretching has left systems and applicationsopen to hackers discovering and then exploiting newly

discovered weaknesses within the applications client-server communications processes. Hackers have proven thatit is not that hard to find a plethora of vulnerabilities to exploit in both new and older versions of applications,which exist because automated programming tools and insufficient software testing methods do not consider, forexample, user inputs to Web applications to be points of vulnerability. Building into applications the capabilityto natively protect themselves from attack during normal use is not a strong enough objective of applicationdesigners. And because the attacks occur during normal use of the application, these application-specificattacksdo not necessarily violate RFC standards, or even the protocols themselves. As a result, the attacks are ofteninvisible to security filters in many systems and are therefore able to hide in the normal looking stream oftraffic. This new evolution in attacks is clever, application-specific, and very hard to notice as an anomaly in whatappears to be completely normal traffic going by.

What i s an In t rus ion P reven t ion Sys tem?I n t r u s i o n P r e v e n t i o n S y s t e m s ( I P S ) d e f i n e dTwo types ofIntrusion Prevention are being discussed in the market place today: host-based and inline(network-based). Host-based systems would be Intrusion Prevention software written to be hooked directly intoapplications or installed directly on application servers that host the applications. This paper deals exclusivelywith the notion of inline security. Inline security would be similar in architecture to a dual-homed firewall or ananti-virus gateway that sits upstream from protected applications and applies Intrusion Prevention services formultiple applications downstream of the IPS. As such, we define IPS as follows:

Even more simply put, Intrusion Prevention is specifically targeted at finding (detecting) and then stopping(preventing) publicly known yet stealthy application-specific attacks. The term Intrusion Prevention Systemitselfis used to combine (or unify) both the concept of a detection system and the concept of a prevention systemunder one construct. It is important to note the definition only addresses known attacks.

W h a t d o t h e a n a l y s t s s a y a b o u t I P S ?Gartner recently remarked on Intrusion Prevention products saying few products provide the features thatGartner believes are necessary for true Intrusion Prevention.1We would say that is true, but we would go furtherby saying that no products provide the features that Gartner believes are necessary for true Intrusion Prevention

across multiple protocols and applications. Gartner describes Intrusion Prevention in part like this:

Intrusion Prevention must block malicious actions using multiple algorithms. Intrusion preventionsystems must provide blocking capabilities that include signature-based blocking of known attacks.However, intrusion prevention systems must also move beyond simple signature-based approachessuchas those used by antivirus and intrusion detection systemsto at least support policy, behavior andanomaly-based detection algorithms. These algorithms must operate at the application level in additionto standard, network-level firewall processing. It must also have the wisdom to know the difference(between attack events and normal events). 4 June 2003CIO Update

An inline Intrusion Prevention System is any hardware or software device that has the ability to

both detect and prevent known attacks. Often times heuristic, anomaly checking, or signature-based filtering is used.


8/18


8

Over the past number of years, the industrys insider-threat solution focused on Intrusion Detection (IDS),but efforts there have proved to be disappointing to some degree (more on this later in the paper). The outsider-threat solution has focused on firewalls, but efforts there by the commodity firewall manufacturers obsessed withperformance over security as their key differentiator have proved to be disappointing as well. Carnegie MellonUniversities CERT Coordination Center has had this to say about stateful inspection technology:

The principle motivation for stateful inspection is a compromise between performance and security.Source: Security RequirementsDesign The Firewall System CERT Coordination Center, CarnegieMellon University

I n t r u s i o n P r e v e n t i o n s i g n a l s e v o l u t i o n f r o m a r e a c t i v e t o ap r o a c t i v e s e c u r i t y m o d e lFocusing our thinking and energies around Intrusion Prevention makes sense, then, as the industry tries tocombat future threats like Code Red, NIMDA, and SQL Slammer. These high-profile attacks continue tobring much needed attention to a class of rapidly-spreadable, application-specific, data-driven attacks. Inparticular, they have gotten the attention of IT professionals who are now seeking information such as thispaper provides and they have stimulated the security products manufacturers into developing a new set of

counter measures and products which claim to deliver Intrusion Prevention. These measures are discussedfurther in the following sections.

Interest in Intrusion Prevention is a hopeful, reinforcing indicator that the positive transition from a reactivesecurity posture to a moreproactivesecurity posture is accelerating. Consider the react and patch cycle we talkedabout previously. That is not a manageable solution to the problem. Security gurus have alwaysrecommended that organizations maintain a high-state of readiness in the face of attack and that the way todo that is to keep your systems updated to the current software patch levels at all times. On the face of it thissounds very reasonable, but organizations are realizing that maintaining 100% patch-current status for allsystems and all applications that run 24x7x365 is an unachievable goal. Executives who are increasingly beingasked by regulators to account for everything from accounting practices to disaster recovery plans want to findbetter ways to manage risk that are more automated, centrally manageable, and preventative.

So the Intrusion Prevention paradigm reinforces the need for a shift to a more proactive approach to identifyingand mitigating risks to organizations networked applications. Even if the technology is not mature today,energies focused around the topic promise to improve our electronic security posture in much the same way asthe recent energy focused around global terrorism is making communities and individuals safer because we aredoing thingsproactivelyto get ahead of the threat.

Whats out there now and what can it do for meor not?

P r o d u c t s c u r r e n t l y a v a i l a b l e t r y i n g t o p r o v i d e p a r t s o f I n t r u s i o n P r e v e n t i o n

As weve said, many are questioning whether Intrusion Prevention is a product and if it is ready for prime time.All security products are designed to help prevent some aspect of an intrusion attempt. The term IntrusionPrevention can be considered a broad concept that unifies a number of the features found in traditionalanti-viral, firewall, and intrusion detection products. The need for a proactive defense, to thwart targeted andopportunistic attacks on the enterprise and its applications, has not changed. But as weve indicated, no singleproduct can currently provide this level of defense.

So, then, what isavailableand what are the benefits and drawbacks? We will address this question in thesections below.


9/18


T h e s e c u r i t y s o l u t i o n s m a r k e t i s s e g m e n t e d

Competitive forces in the security marketplace and highly specialized and difficult technology challenges havecreated a security-products market today that consists ofsegmentsof tools grouped around different (butassociated) fundamental security problems. The true multi-layered defense-in-depth security solution todayconsists of deploying most or allof them on your network. For example:

User authentication products from companies such as Secure Computing and RSA that provide strong(one-time-use) passcode-generating tokens, smart cards, biometrics, and more.

Anti-virus products from companies like Symantec and Network Associates that focus on addressing thethreat from viruses and malicious code.

Firewall products from companies like Secure Computing and Check Point that provide access controlbetween networks based on the notion of deny that which is not explicitly allowed.

Intrusion detection solutions from companies like Cisco and ISS (the newest to the scene) that monitornetwork traffic to detect known attacks based on a database of signatures and/or some levels of trafficanomaly detection.

For various reasons, all of these solutions work well enough together to be considered generally effective againsta large number of known threats. As a result of their deployment, the externally visible (exposed) profile ofnetworks is reduced by:

1) making it harder to tell what computers are present

2) making it tougher to probe for vulnerabilities3) creating a single point of entry and exit for monitoring.2

According to the 2003 CSI/FBI Computer Crime and Security Survey, 99% of survey participants usedanti-virus products and 98% owned a firewall, while 73% had an active deployment of intrusiondetection capabilities.3

However, all of these tools lack the integration and capabilities to cover the entire risk profile of publicly exposedbusiness applications for one specific reason: they are unable to defend applications from many new unknownattacks that reveal themselves over time.

9

Figure 1: Reducing external profile exposure


10/18


D e v e l o p i n g a t r u e I n t r u s i o n P r e v e n t i o n S y s t e m i s n o t a n e a s y t a s k

For any new so-called Intrusion Prevention technologies or products to be successful in the marketplace theymust cost-effectively and manageably reduce the attack-surface of networks relative to new application-levelattacks. This is a challenge, because these solutions need to automatically and efficiently stop the things that areslipping through the cracks presently existing within or in between todays segmented security products. And,they need to do it across all protocols and applications if possible.

It is a natural evolutionary response in the market for the well-established security product manufacturers to tryand cover these cracks within a number of already well-established security approaches; including commodityscreening firewalls, application proxy firewalls, network-based anti-virus services, and network and host-basedIntrusion Detection Systems (IDS), a few of the most obvious examples weve named. Established security ven-dors are working more or less to better utilize enhanced hardware technology, more granular software inspectiontechniques, and better deployment and management tools to deal with the rise in application-specific attacks.

It is also a natural evolutionary response that when existing products falter, new products emerge to cover newand evolving threats. These new pure-play Intrusion Prevention products appear to be innovative, but so farthey focus almost exclusively on Port 80 services. While this is critical, security professionals need to preventintrusions across manyentry points that are directed at manydifferent applications, not just Web servers. So

while dropping a so-called Intrusion Prevention gateway into the network in front of e-business Web servers mayprovide some protection, it remains only a finger in onehole in the security dyke.

Some other well established security gateway vendors are going a bit further yet. Rather than just add simpleincremental feature enhancements to their single-purpose products, they are offering combination solutions (i.e.,suites) that deliver best-of-breed anti-virus, firewall, and intrusion detection capabilities all in one platform.Outbound Web filtering is also included in some of these products to help organizations control employee accessto the Internet, increase employee productivity, and limit legal liability. As discussed earlier, this is the logicalevolution of tried and true multi-layered defense-in-depth security. Specialty segments appear, like single portsecurity gateways, and then almost inevitably they merge and blend into other multi-use products.

T h e I P S b u z z w o r d i s c l o s e l y a s s o c i a t e d w i t h e m e r g i n g

c o m p a n i e s a n d p r o d u c t sThere are a number of emerging new security companies (all pre-IPO) focusing their message on IntrusionPrevention, but again, most are only for one protocol: HTTP. Many traditional multi-protocol security gatewaycompanies (firewall, anti-virus, IDS), are adjusting their marketing/positioning as a result, and some of themclaim to be building new technology. IDS vendors are claiming to be building firewalls. Load balancing systemscompanies are being talked about like they could be Intrusion Prevention Systemssome day. There will likely bemergers, acquisitions, and the inevitable liquidations coming in the near future to this newIntrusion Preventionarea of the IT security market place.

As just mentioned, a small number of new inline gateway products are coming onto the market that claimto mitigate the untenable react-and-patch cycle for Web servers. These emerging new security companies arepresently living on venture capital with one or two distinguishing features that may indeed solve some short-

lived, known threats to specific applications, but they are almost exclusively Web-centric which means theyhave a long way to go to replace the technically mature and heavily deployed enterprise firewallon the network.Moreover, these types ofIntrusion Prevention capabilities are not available much at all right now from the well-established, financially viable security companies. But, in response to this new wave of application-specificattacks and the buzz around Intrusion Prevention, these established vendors have begun to transition the waythey talk about their products, whether or not their products actually prevent intrusions.

Closely associated with newIntrusion Prevention features being talked about, there is a growing notion thathardware accelerated processing of security filtering is an enabler to the promises. We will talk more about thislater in the paper, in particular regarding ASICs.

1 0


11/18


W h a t a b o u t I D S ( I n t r u s i o n D e t e c t i o n S y s t e m s ) ?Some argue that the true purpose of IDS is for monitoring, while others argue that it is required for appropriateinline screening. Certainly, the ability to detect specific attacks or network anomalies is important as a warningsystem, but also as a component of preventing the attacks. There is increasing pressure on Intrusion Detectioncompanies to re-introduce themselves as purveyors of IPS. Thus, the concepts engrained in intrusion detectionsystems complement firewalls as they may contain scanning techniques for specific things beyond the explicitpolicy-based access control enforcements and protocol validations. Yet, IDS systems dont have adequatesignature or other more behavioral capabilities to replace a firewall as an access control device. Neither do they

deliverApplication Defenseswhich would provide protection against unknown threats.For example, at least one firewall vendor has an application filtering option that requires strict RFC1738 URLs.4

All other connection attempts are rejected and a404 Malformed Header response is generated.5 This particularapplication compliance check prevented Code Red from infecting Web servers because it prevented a specifickind of Microsoft IIS URL encoding, one which does not follow the rules for URL referenced content asdefined in the international standard. These types of application-level attack prevention features may or maynot also be found in a corresponding IDS signature. In the case of the IIS encoding attack, IDS systems werefound to not prevent the attack.6 Firewall checks are generally static, meaning they look for conformance andthere are attacks that come in properly formatted RFC-compliance messages. This is why the signature andanomaly technology concepts used in intrusion detection systems are important to a proper defense. Yet, thechallenge of preventing unknown attacks is always going to exist. No heuristic, anomaly, or signature-basedsystem that allows everything in, except that which meets conditions imposed by the scanning of packets asthey go, by will solve 100% of the problem. An IDS firewall combination is generally more effective, givenappropriate implementation, than a firewall by itself. There is initiative within the security market for blurringof the lines between the IDS scanning capability versus a firewalls application and protocol checking capability.This is part of the latest hype cycle.

1 1

Given the present state of this emerging market, it seems there will likely be mergers, acquisitions,and the inevitable liquidations coming in the near future to this new Intrusion Prevention-labeledspace. The security community most recently experienced this evolutionary market cycle with IDS(intrusion detection), the last few years buzzword. Time is going to be taken by the industry to sortthings out, and during that time enterprises are well served to examine carefully what specific needsthey have in the context of their own changing requirements and organizational goals.

Figure 2: IDS monitors attacks but has systemic problems not yet solved.


12/18


Gartners Research Director, Richard Stiennon, recently announced Intrusion detection systems are a marketfailure, and vendors are now hyping Intrusion Prevention systems, which have also stalled. Functionality ismoving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking,as well as anti-virus activities.7 Indeed, intrusion detection vendors are recognizing that the buzzword IDS isno longer the darling of market commentary and trade press activities. Many IDS vendors are re-stating theirmission to address Intrusion Prevention. At least one is attempting to build a firewall from scratch.

Many in the IT security community scoffed at the notion of multiple technologies merging (firewall, anti-virus,IDS, etc.). Yet, Gartner is correct. The base IDS technology as a blocking and prevention solution has notfundamentally changed. Moreover, many of the types of attacks that are encoded in IDS signatures can beprevented by adding checks to application-level inspection firewalls. This begs the question: Is IDS as universalas the firewall in providing a platform for multi-layered defense in-depth? The answer to this question is clearlyno, but that does not mean that the industry is rejecting IDS as a technology. The evolution of security technol-ogy moving into real-world, effective use continues just as it always has.

E m p h a s i s o n p e r f o r m a n c eThe performance requirement to have hardware-assisted processing is part of the hype surrounding IPS. Thesetechnologies are useful in certain high-bandwidth, core network infrastructures, but on balance, companiesevaluating vendors with ASIC (application-specific integrated circuit) components should understand that justbecause a company claims to utilize a special processor does not mean that it will be able to provide the ability toquickly deploy comprehensive and extensible policy enforcement, orApplication Defensesfor that matter. In fact,the opposite may be true. The solution could be extremely limited.

For example, there is a vendor recognized as one of the leaders in the firewall appliance market who has recentlyacquired an IDS vendor, yet their firewall appliance feature for protecting against malicious URLs is limited to16 malicious URL string patterns, each of which can [only] be up to 24 characters long.8 This exampledemonstrates that even though a vendor owning both ASICs technology and intrusion detection technologiesdoes not mean they are eligible to replace more flexible software solutions for all product usage scenarios, in par-ticularApplication Defenses. To re-enforce that point further, be aware that this vendor has also had several signif-icant vulnerabilities against their products.9 The point is that they have other more serious limitations beyond

ASICs that are unfortunately shared by most other commodity firewall competitors as well. These commodityfirewall providers have not yet delivered an architecture that will itself not introduce vulnerabilities into the net-works where they are trusted to be deployed.

Tr a d e - o f f s w i t h A S I C sWhen evaluating vendor claims with regard to ASICs, organizations should realize the trade-offs.

ASICs are hard-coded. The core logic of an ASIC is generally unable to be updated by software, meaningmany of the vendors using them cannot extend the core logic. When additional checking, memory, or otherrequirements meet a hardware change, users have to purchase a new box.

ASICs are expensive. Security flaws and or feature enhancements to hardware cant be fixed without a

forklift upgrade. ASICs are limited.ASICs are not so useful for certain types of security checking. For example, if a virus

scanning engine is being deployed in a gateway to scan file attachments, ASICs dont provide much value asthe packets have to be assembled and the file attachments run through the scanner either via disk or memory,not in ASICs.

1 2


13/18


Appl ica t ion De fenses de f inedW h a t a r e A p p l i c a t i o n D e f e n s e s ?As weve described, Intrusion Prevention Systemsby common definition are targeted to stop known (previouslydiscovered) attacks. In order to really evolve the IT security solutions set, a shift is needed to also prevent theunknown attacks, which means deployingApplication Defensesto prevent intrusions.

The table below references a number of components that solutions should incorporate in order to provideApplication Defenses. Simply put, if a system has the capability to assure the same reduced profile of today,prevents intrusions from known attacks, andprevents unknown attacks by filtering, blocking, and validatingtechniques that knock down whole classes of attacks trying to work their way around current firewallcapabilities, then it is anApplication Defensessolution. However, if a vendor is merely renaming IDS or othertechnologies that only defend against known attacks, their incantation ofIntrusion Prevention really meansadd

another security appliance to your network in addition to what you already have. Indeed, if a product does nothave the ability to provideApplication Defenses, then it is limited by definition to provide Intrusion Prevention ofknown attacks only.

1 3

Defense-in-depth Check list

Policy definition and enforcement

Basic access control

Application Defenses

Compatibility with infrastructure

Personnel support

Define network objects for devices and groups of devices

Define user roles access groups

Administrator access tightly secured

Stateful packet inspection (source, destination, service)

User authentication for remote clients

Basic network controls for VPN clients (allowed services)

Basic network controls for SSL clients (allowed services)Conceal protected networks (NAT and other techniques)

Termination and inspection of HTTP/S communications

Deep packet inspection and smart application proxies (protocol validation)

Permitted methods for protocols (e.g. HTTP/S and H.323)

Out-bound URL and content permissions

Inbound URL input filtering and controls

Content scanning and stripping of dynamic content and scripting

Scanning for attacks using signature database

Scanning for virus and malicious code in a virus definitions database

Heuristic, anomaly, or statistical baseline analysis of packet flows

Response to suspicious activity in audit stream

Preventing attacks against the appliance operating system itself

Load balancing high availability

Interoperability with third-party directory services / authentication tools

Interoperability with third-party reporting and monitoring tools

Product certification and training

Quick answers and third-party validated customer service

Application Defenses are application-specific filtering, compliance validation, and automated response

techniques with granular content controls that deliver policy-based enforcement of communications to and

from networked systems for the purpose of eliminating as many known and unknown attacks as possible.


14/18


Why f i r ewa l l s w i t h App l i ca t ion De fenses a re the home fo r I PSFirewalls are often the first line of defense. The goal of a firewall is to knock down things that are generic andopportunistic, not just at the network level. Firewalls have proven very successful at this, particularly whenlayering stateful inspection and application proxy-based approaches. Today the traditional firewall vendors arerecognizing the need for more thorough checking of application-level policies in order to eliminate the threat ofattacks that use business applications basically against themselves. This means proxies, although in the past manyfirewall vendors lacking these capabilities tried to make proxy a dirty word. Yet recently, the same vendors arecloaking their own new use of proxies under fancy marketing jargon. Their anti-proxy rhetoric of the past is nowcoming back to challenge them. If stateful packet inspection firewalls were presently delivering the same level ofapplication-specific checking as the newly emerging IPS solutions claim to, there would not be these new marketentrants based onproxy technologybeing installed on networks behind or around already deployed commodityfirewalls. This is not to say that proxies have solved all of the requirements of customers, yet they provide themost provenApplication Defensesof today and they offer a solid foundation to build on for the next generationofApplication Defensesin the near future.

In the broad market (from consumer user to Fortune 500) people have assumed the words stateful inspection toequal firewall. However, because of the need for tighter protocol validation, traditionally provided by proxies,

the concept ofApplication Defenseswith Intrusion Preventionwill include both proxy and stateful inspectiontechnology. This is the perfect opportunity for IT security professionals to reacquaint themselves with theadditional security capabilities of proxies.

For example, an administrator is running T.120, a broad protocol used to support data conferencing servicessuch as chat and white boarding (e.g., Microsoft NetMeeting). A hybrid firewall vendor (one that provides bothproxies and stateful packet inspection) has a T.120 proxy that enforces controls on what specific T.120 servicesare allowed.10 The organizations security policy may allow whiteboard and chat, but not desktop sharing. In astateful packet inspection mode of operation this would not be possible. Likewise, traditional IDS can only lookfor specific signatures or use a statistical baseline to generate errors. The use of application layer proxies in thisscenario completes the other technologies to provide a robust solution.

There are a few additional product segments attempting to address Intrusion Prevention. For example, some

Layer Seven Switches have the ability to inspect the URL to direct particular requests to specific servers basedon predefined rules.11 This technology plus the switchs unique location in the network have certain advantagesthat might be used in future, for more security-focused offerings. From a users perspective, though, it is notclear how focused the vendors that make these products are to integrating with other solutions beyond the basicsof today or how they will provideApplication Defenses.

T h e s t a t e o f I PS t e ch n o l o gyThe state of IPS technology is immature if you define it as a single vendor, all-encompassing product thatdetects, monitors, prevents, updates, and reports on every transmission for in-bound and out-bound accessthrough a particular network choke-point. Recently, enterprises have spent millions of dollars on products tohelp them secure their networks. Todays newly emerging IPS products are focused almost exclusively on

Port 80 and so they are not replacing existing systems. They are instead augmenting them. An all-encompassingmulti-protocol IPS solution will have to be developed and proven before any such systems would be takenseriously as actual replacements for already deployed systems.

1 4


15/18


L o n g - t e r m g o a l sIn the future, an inline security gateway solution should achieve these goals.

The ability to detect and prevent attacks based on logical or physical use of multiple enforcementtechnologies. Broadly, this includes the ability to prevent both known and to some degree unknownattacks usingApplication Defenses.

The ability to interoperate with deployed security infrastructure for the purposes of supporting datacollection, electronic evidence, surveillance, and regulatory compliance as needed.

The ability to not disrupt business operations because of lack of availability, poor performance, false positives,or inability to interoperate with required authentication infrastructures.

The ability to support IT Security professionals in delivering their organizations risk management plan,which includes the cost of implementation, operating, and work outcomes from the alerts and reportingfrom the system.

C h a l l e n g e s t o r e a c h i n g t h e s e g o a l s

There are currently no acceptable third-party ROI studies demonstrating the efficiency of IPS as a solution.The market hype surrounding Intrusion Prevention is confusing what the technology can really provideversus what it promises.

The capabilities required to build a complete Intrusion Prevention system do not all currently reside withinthe same technology segments (vendors), which will require industry integration and consolidation. Themulti-layered approach to IT security continues to be validated as the industry evolves. It does not appearthat the migration is away from layered defense-in depth, just how it is organized.

Many of the IPS solutions will require IDS-like human-power requirements for tuning, monitoring, andreporting. There are still logs to parse through (if the administrator is doing his/her job), and there is stillthe need for 24x7 personnel responsible for the device, unless the systems are powered off nightly (which ishighly unlikely).12

A pragmat i c v iew o f the fu tu rePeople bound by organizational roles and work culture select security solutions in various ways, but are alwaysrestricted by time and budget. Currently, there is no workable one-size-fits-all product that meets broad marketneeds at a level where it could replaceexisting firewall, Network Intrusion Detection System (NIDS), layer 7switches, and other components that may (or may not) become the inline security gateways of tomorrow.However, if one such product appears, it would need to meet a significant portion of the goals discussedpreviously in this document, includingApplication Defensescapability. Whats next? Evolution is not somethingthat is generally predictable many steps in the future. Go back to step 1: the threat-countermeasure cycle.Future threats, unknown to us today, will drive the direction of our future solutions. There may be new threatsand new system vulnerabilities discovered that may affect the Intrusion Prevention security concepts of today

in fundamental ways; or maybe there wont be. But, Intrusion Prevention Systemsevolution is most likelyto bea gradual merging over time of various security concepts into one trueApplication Defensesmodel. Dont besurprised if it ends up being in your tried-and-true hybrid firewall. So, stay tuned for the future.

1 5


16/18


Eva lua t ing op t ionsHere are five things you should consider when evaluating Intrusion Prevention solutions.

S e c u r i t y m a t t e r s Does the product being proposed as a solution have a history of security vulnerabilities?

Do they have 12 of the things you are already implemented plus 2 that you have not? What is the

differentiation, specific to your risk profile? Do they have anyApplication Defenses?

C u r r e n t i n v e s t m e n t s m a t t e r What are the impacts of proposed solutions on your operational infrastructure? People?

Are you a guinea pig for this tool? E.g. Are other organizations with missions similar to yours deploying theproduct?

Are you being asked to write off more in deployed tools to get ROI and TCO from the proposed ones?

How mature is the proposed solution compared to your existing infrastructure?

What training, operational disruption, or man power costs are required relative to risk?

T r a c k r e c o r d m a t t e r s What is the history of the company that purports to defend against intrusions? Have they recently been

acquired by a larger firm or are they being targeted for an acquisition? Either situation could drasticallyaffect you.

Are members of their management recognized for security expertise?

Is the vendor that proposes a solution profitable, or at least cash-flow positive?

Do they have sufficient access to capital to fund their business plan?

Are they actively trying to reinvent themselves? Is the story consistent?

R e l a t i o n s h i p s m a t t e r Integration with monitoring, alarming, reporting.

Are there third-party relationships for monitoring, reporting, and authentication that support your majorenterprise requirements?

Do they have relationships with the vendors with whom you are already significantly invested?

1 6

Enjoy part one, ready to hear more?Part Two is on our editor's desk now. It will discuss in detail Secure Computings Application Defenses

product strategy for the Sidewinder G2 Firewall.

For more from Secure Computing visit: http://www.securecomputing.com/

We'll e-mail part two straight to your in-box as soon as it is published.


17/18


1 7

Yo u r n e e d s m a t t e r s Does the vendor understand requirements for third-party certifications that others in the industry have

achieved? e.g. Common Criteria.

Do they understand the regulations that you must comply with? e.g., Graham-Leach-Blily (GBL),Sarbanes-Oxley, or HIPPA.

Are they trying to sell you a box or a solution?

Glossary o f t e rmsA p p l i c a t i o n D e f e n s e sApplication Defensesare application-specific filtering, compliance validation, and automated response techniqueswith granular content controls that deliver policy-based enforcement of communications to and from networkedsystems for the purpose of eliminating as many known and unknown attacks as possible.

A p p l i c a t i o n - l a y e r f i r e w a l l

A firewall system in which service is provided by processes that maintain complete TCP connection state andsequencing. Application layer firewalls often re-address traffic so that outgoing traffic appears to have originatedfrom the firewall, rather than the internal host.12

A p p l i c a t i o n - s p e c i f i c i n t e g r a t e d c i r c u i t ( A S I C )A customized microchip which is designed for a specific application.13

I n t r u s i o n D e t e c t i o n S y s t e m ( I D S )A combination of hardware and software that monitors and collects system and network information andanalyzes it to determine if an attack or an intrusion has occurred. Some ID systems can automatically respondto an intrusion.14

I n t r u s i o n P r e v e n t i o n S y s t e m ( I P S )An inline Intrusion Prevention System is any hardware or software device that has the ability to both detect andprevent known attacks. Often times heuristic, anomaly checking, or signature-based filtering is used.

P r o x yA software security agent that intermediates between a client requesting an application connection and therequested application service.

References1 J. Pescatore, R. Stiennon. Enterprise Security Moves toward Intrusion Prevention Gartner CIO Update,

4 June 2003

2 Next Generation Firewalls by Fred Cohen, Burton Group Catalyst 2003 Conference, July 10 2003.

3 Computer Security Institute (CSI). CSI/FBI Computer Crime and Security Survey, 2003, page5.

4 Berners-Lee, T., et al., Uniform Resource Locators (URL) RFC 1738, CERN. December 1994.http://www.w3.org/Addressing/rfc1738.txt


18/18


5 Secure Computing Corporation. G2Firewall Admin Guide version 6.0: 7-20.

6 BUGTRAQ ID 3292 Security Focus Vulnerability Database: Security Focus.http://www.securityfocus.com/bid/3292/discussion/

7 Gartner. Gartner Information Security Hype Cycle Declares Intrusion Detection Systems a Market Failure.Money slated for Intrusion Detection Should be Invested in Firewalls.June 11, 2003.

http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp

8 Netscreen Technologies. Netscreen New Features Guide for ScreenOS4.0.3: page 6.http://www.netscreen.com/services/support/product/downloads/screen_os/403_new_features.pdf

9 Netscreen. Security Focus Vulnerability Database. Security Focus.http://www.securityfocus.com/bid/vendor/

10 Secure Computing Corporation. G2Firewall Admin Guide version 6.0: 7-31.

11 Desai, Neil. Intrusion Prevention Systems: the Next Step in the Evolution of IDS. Security Focushttp://securityfocus.com/printable/infocus/1670

12 Firewalls Direct.com. Glossary. http://www.firewallsdirect.com/store/glossary

13 Computer User.Com Dictionaryhttp://www.computeruser.com/resources/dictionary/definition.html?lookup=105

14 CMU Software Engineering Institute, State of the Practice of Intrusion Detection Technologies: AppendixA Glossary. [CMU/SEI-99-TR-028] January 2000.http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028app-a.html

1 8

Documents

Intrusion Prevention Systems (IPS)