The IPS question

Security customers aren't the only ones debating whether IDSes (intrusion prevention systems) can deliver on their promises of preventative security -- IDS vendors are also trying to figure out how to deal with a technology that threatens the core of their business strategy.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Indeed, the supremacy of IDSesis being tested by security customers’ demands for a faster, more efficient, and proactive form of intrusion prevention for their networks. Complicating matters, customers are experiencing difficulty in discerning between true IPSes (intrusion prevention systems) and watered-down versions, as well as considering the complexity of marrying in-line IPS with various network processes.

But there’s no mistaking the attractive glow of intrusion prevention that works -- IT still salivates over the idea of preventing attacks before they become enterprisewide disasters, although they are more cautious about putting too much trust in security systems that make large promises. As IPS technology matures, security experts predict that IDS and firewall protection will eventually become one, IPS appliances will multiply, and traffic inspection and switch hardware vendors -- such as Cisco, F5, and Nortel -- stand poised to claim the IPS crown.

Prevention gets the nod

Some analysts, including Stamford, Conn.-based Gartner, are advising customers to hold off on making large network IDS investments in favor of investigating the merits of IPS. For organizations already bound to IDS investments and drowning in false-positive returns, they should look to security management vendors such as ArcSight and NetForensics to restore control, says John Pescatore, vice president of Gartner.

"We think IDS is dead. It’s failed to provide enterprise value," Pescatore says. "In order for it to survive, it has to go faster, at wire speed, and it has to solve the false-alarm problem."

False alarms - a notorious bane of IDS - can be a troublesome burden when the lack of internal security expertise and ever-tightening budgets push security event prioritization to the forefront. IPS cuts down on false positives by being in-line, incorporating stateful signature through session inspection, and multiple algorithm methodologies including protocol and packet identification to uncover sudden or extreme traffic pattern changes (such as in a denial of service attack) or changes against a set policy.