Problem solve Get help with specific problems with your technologies, process and projects.

Buying an IPS: Determine why you need intrusion prevention

Learn how to develop the right IPS strategy for your network by first asking why your organization needs intrusion prevention. This is the first in a seven-part series.

Today's threat landscape far exceeds the protection traditional signature-based products can offer, making a feature-rich network-based intrusion prevention system (IPS) a must for not only malware containment, but network activity monitoring and compliance.

Midmarket companies anxious to dip into these waters need to sidestep some traps. Avoid vendor marketing fluff, and spend only on what you need. Putting the wrong IPS into your network can be a costly error, both in terms of capital and operational expenditures.

This is the first tip in a six-part series that lays out how you can decide what IPS is right for your network. Part one helps you answer the question: Why am I buying an IPS?"

Buying an IPS series

Determine why you need intrusion prevention: Learn how to develop the right IPS strategy for your network by first asking why your organization needs intrusion prevention.
Determine the approach you require: Signature-, rate- and behavior-based intrusion prevention systems each offer different network security capabilities. Understand each before investing in IPS.
Decide which applications and protocols your IPS will protect: Application and protocol coverage varies in signature-, rate- and behavior-based intrusion prevention systems. Understanding the differences is crucial to your IPS investments.
Determine your performance requirements: Intrusion prevention system performance is dependant on many variables and how it is configured. Test with your network traffic before investing in an IPS.
Determine your form factor requirements: Your choice of either a standalone IPS appliance, or one integrated in a firewall, gives your different levels of functionality to consider as well.
Determine your management requirements: Be sure to match your IPS management requirements to the product you choose, otherwise your deployment will fail.
Test using your network and traffic: Testing an intrusion prevention system is the critical final piece of an IPS purchase.  

IPS Drivers: DDoS, Compliance, Alerting, Forensics and more

Before you talk to vendors about IPS -- or any network security products -- you need to understand what you want to accomplish and why you're buying IPS.

There are many good reasons to add an IPS into a network:

  • You could be looking for extra protection at the perimeter that employs signature-based technology to trap some of the bad things that manage to make their way through the firewall.
  • Or, you could be focused on mitigation of denial-of-service attacks, and looking for products that employ rate-limiting security parameters to protect against these kinds of threats.
  • With a new, onerous, load of regulation in many organizations and industries, you could be looking for tools to help in your compliance efforts.
  • Or, perhaps you might be looking for a product that provides IDS-like alerting and forensics to help you get a better handle on what threats are trying and have been successful at hitting your network.
  • You could be hoping to build more security into the core of the network, perhaps protecting a specific set of servers inside the network or even by wrapping an IPS around the entire network core.
  • You could be worried about incoming threats--or just as worried about detecting and blocking infected systems on your own network from attacking the rest of the world.

Note that this isn't a comprehensive list, but each can be equally valid in the right environment. But until you know which apply to you, you won't be able to select the proper IPS strategy or product. Every IPS has a different set of design goals and features targeted to address a limited set of the questions posed here.

It would be easier for all involved if you could simply reduce this list of implementation reasons and goals into a feature checklist, something you could throw into an RFP and subsequently pick the vendor with all of the right boxes checked. But, unfortunately, that's impossible, not so much because the appropriate features are not in place, but because of the disparate philosophies that go into the products' design.

For example, it's easy to put forensics onto your checklist as a feature--assuming that is something you care about. Unfortunately, listing "forensics" won't get you any closer to finding the right product; it will only help you to eliminate some products that don't have any forensics capabilities.

The more appropriate question is: Why do you want forensics? Are you really looking to comply with the classic definition for forensics in which you need to collect data that could be used in a courtroom to help prosecute an attacker? Or are you simply looking for data collected and stored over a period of time that will ultimately help you to understand how an attack actually happened? Will you need to tap into the forensics ability of the IPS daily or just once a month? If you expect to run daily forensics, the performance and design of the forensics interface is a huge issue. While they may not be as important if you only need to review on a monthly basis, knowing why you want forensics will help you to understand what products will work best for you.

Create an IPS Needs Statement
The IPS market is crowded on many levels. There are products ranging from high-performance standalone appliances to others shipped as add-ins to existing firewalls. After studying this product space for several years, it has become clear that while there are often common denominators between some products--for example, quite a few of the newer IPS products use Snort as their underlying detection engine--that help segment the market into broad, overlapping categories, the underlying design goals and capabilities still vary widely.

The table below is a list of reasons why corporations we've worked with in the past three years have implemented an IPS in their networks and the noted tradeoffs expected with each choice. This may guide you to your own IPS needs statement. No single IPS device is designed to operate in every environment and solve all problems, which means that you will have to make choices and weigh your own reasons to balance these tradeoffs.

Spectrum of Reasons for Implementing IPS Design Characteristics of an Appropriate IPS
From:   To  
You are focused on perimeter security or You want to protect the core of your network The closer an IPS is to the core of your network, the more important issues such as performance, high availability, and control of overflow become. IPS functions pushed out towards an Internet boundary don't necessarily operate under the same performance constraints, and may be designed to handle failure cases (such as too much traffic or too high latency) differently.
You want to protect your servers or You want to protect end users (clients) on your network When protecting servers, an IPS can be tightly tuned to inspect particular incoming services and particular applications. To protect client desktops, the IPS must handle incoming and, more importantly, outgoing traffic with twin goals: prevent incoming infection and attack by blocking packets, but also detect a compromised system by its outbound attacks.
You are looking for signature-focused IPS protection or You are looking for rate-focused IPS protection While most IPSes have signature- and rate-based technologies, one or the other is generally the product's "sweet spot". For example, when your main concerns are denial-of-service attacks, a product architecture focused on rate-based IPS is needed. If you are more focused on break-ins through system vulnerabilities and reconnaissance, signature-based IPS is more appropriate.
You are most concerned about specific attacks, such as hacker break-ins or viruses.
or You are most interested in detecting anomalous behavior, such as a normally unused server suddenly going active Although these two capabilities are by no means exclusive, most products specialize in one or the other. Simple anomalies, such as protocol errors, are common across the board (even in rate-based products), but more sophisticated detection scenarios, such as behavior anomalies, call for a different architecture.
You want to be able to detect attacks and have some forensics evidence on how it happened. or You want the IPS to operate on its own, but you are not interested in using it as a security console or as a primary tool in investigations While an IPS can detect and prevent attacks, adding a full forensics capability of any sort dramatically changes product architecture, increases costs and impacts performance.
You want IPS in place for primary protection against attackers and break-in attempts or You want IPS as an additional layer in a defense-in-depth strategy IPS products positioned as a primary protective layer, typically behind a firewall, may have other features such as "shunning" of known attackers. These bring additional security, but at considerable risk such as self-inflicted denial-of-service. When an IPS is part of a layered defense strategy, features such as shunning are often unnecessary.

To understand why you're looking for an IPS, write an IPS needs statement, a single paragraph that begins with this phrase: "What we're trying to accomplish is …" With this in place, you'll be in a much more informed position to correctly evaluate IPS products for your environment. Only after you understand why you want to add an IPS to your network, can you ask yourself about security and coverage, performance, management, and form factor--the other four main criteria for successfully selecting an IPS strategy for your network.

Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.

Send comments on this technical tip

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

Dig Deeper on Detecting and preventing network intrusions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.