Today's intrusion prevention system (IPS) shoppers have their work cut out for them. Vendors showcase a multitude of products labeled sole-purpose IPS, as well as unified threat management (UTM) products, which encompass IPS functionality along with other features. When considering IPS products for your enterprise, the first question you need to address fully is not what vendor or product to purchase, but instead: What is your goal for integrating IPS into your environment?
The goal of an IPS deployment in an enterprise can often be convoluted. Rather than rolling out such a technology across the entire network at once, it's best to prioritize an installation based on the organization's risks. Since there are purpose-specific areas of the network (DMZ, voice, wireless, guest, etc.), the deployment architecture and configuration will not always be the same for each. However, as most IPS deployments are generally solidified on one vendor, this makes flexibility a must-have.
The short-term objective should always be to improve the security posture in the network segments where the IPS will be deployed. Keep that in mind at all times, because vendors are good at upselling features that may not be needed for your organization. It's necessary to maintain an understanding of today's IPS products and the key capabilities by which they should be compared. Here's a list of capabilities to consider when examining products:
- Throughput - IPS
- throughput refers to the amount of traffic the IPS can process or inspect across the entire platform simultaneously. Not all IPSes are created equal, as low-end models generally process traffic in software, which is slow, compared to higher-end models using Application Specific Integrated Circuit (ASIC) technology that lets a special programmable circuit do all of the heavy lifting. Try to consider the network's or network segment's future state during the selection process; if the deployment scenario is in-line/blocking on a busy link, it pays to think about how that part of the network may be upgraded or re-architected in the future. Don't discount throughput as line card speed. Rather, count it as the aggregate performance of the entire device across multiple interfaces. Links may get faster, but they might also get split out into new ones.
- Signatures - Since most of the functionality of an IPS is still driven by signatures, buyers should keep in mind that the quality of new signatures and the time it takes to release them will directly impact the effectiveness of an IPS. Some vendors allow end users to create custom signatures, which can be highly advantageous for customers. If, for example, the organization has a custom application that's key to the network, the ability to write a custom signature may be the difference between the IPS being able to effectively identify an incident. But seriously consider the resources available to analyze traffic, develop the signature, and maintain it going forward; if realistically it's not something you envision your organization doing, then don't include it as a key product requirement.
- Management - While management of an IPS may seem straightforward, what does it really mean? This aspect ranges from the most simplistic approach, in which each appliance is managed directly via its own interface, to having a central management console for a multitude of these devices. While most organizations will opt to put in systems that can work cohesively with legacy systems, remember that not all IPS products can integrate effectively into existing deployments. If a mixed-vendor deployment is necessary, then testing different products is something you should do no matter what the selling vendor tells you. The key to integration is seamlessness. Does the organization have a logical place to put the IPS in the environment? If not, what needs to be done to establish one? Will the IPS take advantage of common network services that are already deployed? If not, can things be changed to effectively take on the information these services offer? Who can make these decisions, and how do they affect the overall goals for the IPS deployment? As more protocols are secured, how does the IPS still fit if its only level of inspection is source, destination and baseline heuristics? This is where IPS products that may be a little "smarter" come in.
- Environment awareness - How "smart" does an enterprise IPS need to be? In other words, will the IPS be able to accept data input from services already deployed in your network to gain better insight and correlation results? This depends on the scope of the IPS deployment . Some vendors have integrated functionality capable of querying common resources of information, such as LDAP and Active Directory, that can lend policy information to real-time evaluation and risk ratings. (Correlation is another key component that IPS systems dissimilar from current implementations will have a harder time pulling together.) The ability to query this information can add significant insight into actual attack vectors, versus potential false positives that can come of just looking at the network flow and having an understanding of the path being traversed.
- Failure and availability - Just as most enterprise firewalls are deployed in high availability pairs, IPS deployments should garner similar considerations. This, again, goes back to how each device is put into production. If the IPS is simply being used in a detection role by listening off of a SPAN port, failure of the IPS will have little impact on actual operations. In the event that the IPS is in-line, however, it's necessary to consider the question of how the device will react when a failure occurs: Will traffic be allowed to continue uninhibited (some vendors provide hardware-bypass functionality for these sort of events) or will it come to a grinding halt? Also, many organizations standardize on specific security device deployment configurations. Consider that if most firewalls are deployed in a Layer-2 (bump-in-the-wire) fashion; will that architecture support the addition of an IPS that only operates at Layer 3, or will considerable re-architecting be required?
- Real-world operations - While every vendor will promise the world to write up a purchase order for your enterprise, the reality is, more often than not, the actual security posture improvement added to your network by an IPS product may not be what the glossy product sheet reflects. Vendor tests will always showcase the features that work best and skim over the things that don't. The best way to prove out a product is to test it in your environment. Get to a point where you can narrow down the vendors and bring in the final few products you're considering purchasing. Vendors might not be able to provide all of the necessary gear, but operating the equipment in non-critical parts of the network for a month will really help flesh out what you like and don't like about specific products.
Depending on whom you ask in the security community, answers about whether an IPS is a viable security control will fall on a wide spectrum. Just like any other technology, it can be implemented incorrectly. Not every organization will need an IPS everywhere, but a well-thought-out design and use-case will bring out the potential usefulness of the technology to your organization. Keep these high-level points in mind when starting to look at IPS products, and you'll be on the right foot going forward.
About the author:
David Meier is a security consultant specializing in network architecture and current (and realistic) threats. He has designed and implemented solutions for the Air Force and Fortune 100 companies. David is also a contributor at security research and analysis firm Securosis.
This was first published in March 2010