Anatomy of an IPS
By Marc Willebeek-LeMair, PhD
Chief Technology Officer - 3Com Corporation

What is an Intrusion Prevention System?
To understand what an IPS is, it is necessary to understand the problem it aims to solve. Today's cyber-threat environment is increasingly severe, compounded by the growing number of vulnerabilities discovered weekly, the emergence of new types of attacks (e.g., Spyware), the shrinking time between vulnerability discovery and exploit development, the propagation speeds of automated worm attacks and the dissolving network perimeter. IT security teams are overwhelmed and traditional point solutions like firewalls, anti-virus software, and intrusion detection systems are inadequate protection by themselves. The threat landscape is further exacerbated by the challenges involved in applying patches in a timely manner, and also in the case of organizations that cannot enforce patch management (universities, ISPs, etc.). A new security element is needed to pervade the network and automatically protect organizations from a broad variety of attack types (e.g., worms, viruses, etc.) and from all potential points of attack Ð inside or out.

Intrusion Prevention Systems (IPS) are the first step in this direction. An IPS is an inline device that blocks attacks before they can reach their target. In a broader sense, an IPS performs total packet inspection, providing a range of functions due to this depth of analysis and traffic classification. These are predominantly stand-alone systems that can be placed at key network points for protection. As an inline device, an IPS cannot become a bottleneck, and as an attack blocking device, an IPS must be extremely accurate when classifying traffic.

Networking
First and foremost, an IPS must exhibit the same throughput, reliability, and latency characteristics of other network infrastructure elements (e.g., switches and routers). Network engineers have carefully architected their networks to deliver traffic from one point to another with specific latency and throughput requirements. Today's business dependence on the network requires that they be highly reliable with near-zero downtime. If an IPS adversely impacts these network characteristics, it will never be given an opportunity to demonstrate its security effectiveness. Furthermore, these performance characteristics should not be dependent on the number of filters turned on or the type of traffic passing through the network.

Many organizations deploy IPS's at the perimeter to augment existing security elements, but most are deploying these systems on internal network segments to protect against attacks from within. When multiple IPS's are deployed internally, they effectively provide "zones of containment" for any attack that may originate from internal sources such as remote office locations, VPNs, or someone plugging in an infected laptop. These internal locations have much more demanding performance and reliability requirements in the range of multi-gigabit per second throughput and sub-millisecond latencies.

Attack Blocking
Security effectiveness is measured in three dimensions: accuracy, coverage, and timeliness. Of these, accuracy is the most important. Accuracy ensures malicious traffic is blocked, and legitimate traffic is not. The performance and accuracy of a software-based product presents a zero-sum game. If a filter is added to the software engine, the CPU must process additional cycles and performance goes down. Conversely, in a hardware product that utilizes massive parallel processing techniques, additional filters do not necessarily impact performance.

Coverage refers to the breadth of attacks or attack vectors that an IPS can protect against. While this is tightly linked to accuracy, it is also dependent on the types of filtering methods that the IPS engine supports. There are four primary filtering methods required:

Signatures - Basic pattern matching technique used for viruses or known exploits

Protocol Anomaly - Normalization technique that can enforce compliance to a protocol specification

Vulnerability - Method used to express application-layer rules to identify malicious traffic attempting to exploit an application or design vulnerability. These filters are the most difficult to develop, but the most proactive and comprehensive.

Traffic Anomaly - Method used to detect changes in behavioral traffic patterns that deviate from "normal"

These filtering methods are applied to flows not only to individual packets.

Finally, timeliness is the speed with which an IPS can offer protection against a new threat. In some instances, existing filters may actually protect against a zero-day or newly discovered threat. When a new vulnerability is discovered, a new filter or set of filters may be required for protection. A fundamental component of an IPS is the ability to continuously update the IPS with new filters.

Conclusion
An Intrusion Prevention System is the first step in the convergence of networking and security. As with other networking and security products, this convergence is driving a shift in IPS from general-purpose to purpose-built hardware. IPS is not just a perimeter protection element, but delivers its greatest value as a pervasive security element deployed at both internal and perimeter network segments. To be effective, an IPS must exhibit unconditional network performance and extreme attack blocking accuracy. Finally, IPS represents a philosophical shift from traditional security tools like firewalls and intrusion detection systems that require extensive configuration, tuning and manual maintenance, to an automated security solution.

Visit TippingPoint at: www.tippingpoint.com