| Why We Need Intrusion
Prevention System
(sections from NSS group report)
In a recent survey commissioned by VanDyke
Software, some 66 percent of the companies who responded
said that they perceive system penetration to be the
largest threat to their enterprises. The survey revealed
that the top eight threats experienced by those surveyed
were viruses (78 per cent of respondents), system
penetration (50 percent), DoS (40 percent), insider
abuse (29 percent), spoofing (28 percent), data/network
sabotage (20 per cent), and unauthorized insider access
(16 per cent).
Although 86 per cent of respondents use
firewalls (a disturbingly low figure in this day and
age, to be honest!), it is apparent that firewalls are
not always effective against many intrusion attempts.
The average firewall is designed to deny clearly
suspicious traffic - such as an attempt to telnet to a
device when corporate security policy forbids telnet
access completely - but is also designed to allow some
traffic through - Web traffic to an internal Web server,
for example.
The problem is, that many exploits attempt
to take advantage of weaknesses in the very protocols
that are allowed through our perimeter firewalls, and
once the Web server has been compromised, this can often
be used as a springboard to launch additional attacks on
other internal servers. Once a “rootkit” or “back door”
has been installed on a server, the hacker has ensured
that he will have unfettered access to that machine at
any point in the future.
Firewalls are also typically employed
only at the network perimeter.However, many attacks,
intentional or otherwise, are launched from within an
organization. Virtual private networks, laptops, and
wireless networks all provide access to the internal
network that often bypasses the firewall. Intrusion
detection systems may be effective at detecting
suspicious activity, but do not provide protection
against attacks. Recent worms such as Slammer and
Blaster have such fast propagation speeds that by the time an alert is generated, the damage is
done and spreading fast.
Intrusion Prevention
Systems (IPS)
The inadequacies inherent in current defenses has driven
the development of a new breed of security products
known as Intrusion Prevention Systems(IPS). This is a
term which has provoked some controversy in the industry
since some firewall and IDS vendors think it has been
“hijacked” and used as a marketing term rather than as a
description for any kind of new technology.
\
Whilst it is true that firewalls, routers,
IDS devices and even AV gateways all have intrusion
prevention technology included in some form, we believe
that there are sufficient grounds to create a new market
sector for true Intrusion Prevention Systems.
These systems are proactive defense mechanisms
designed to detect malicious packets within normal
network traffic (something that the current breed of
firewalls do not actually do, for example) and stop
intrusions dead, blocking the offending traffic
automatically before it does any damage rather than
simply raising an alert as, or after, the malicious
payload has been delivered.
Within the IPS market place, there are two
main categories of product: Host IPS and Network IPS.
1 2 3 4
|
