Practically speaking, this is a pretty thin layer of protection, because it has to handle client- and server-side attacks,
random file formats and e-mail attachments, encryption, segmentation, custom applications, and arbitrary protocols that your
hardware-based protocol analyzers cannot know how to interpret beyond a simple regular-expression-analysis capability. True
proactive security means you must block identifiable threats as well as enforce security policy so as to reduce exposure in
the first place -- in addition to detecting change that indicates compromise independent of threat detection. A proactive
security solution should also be able to defeat a threat emerging from any point on the network, not just pre-identified ingress/egress
points. Most IPS companies ignore these points, leading end-users to believe that traditional, stand-alone IPS technology
is capable of proactively protecting assets throughout the network, even though they have no context about the systems they
are trying to protect. This positioning is not only false; it’s unfair to the end-user.
MWL: To be as polite and as succinct as possible: You are simply misinformed. I would strongly recommend you take a closer look
at the state-of-the-art IPS. You’d be surprised to find several significant differences from your perception and reality.
Very accurate filters can be written based on vulnerability information, not exploit information. That is the definition of
proactive protection: customers are protected before the attack (exploit) exists in time and space. These filters precede
the existence of an exploit and proactively protect against any exploit targeting that vulnerability. You are, however, correct
that writing good filters takes extensive research, requires very sophisticated skills and testing, and is an enormous differentiator
between the various IPS solutions that exist today.
It’s typical for software-solution vendors to misrepresent a hardware solution as fixed and inflexible. Again, this is misinformation
or, in the best case, laziness. Reality is that any hardware design -- for example, a CPU -- consists of hardware building
blocks like the arithmetic control unit, the floating point unit, or another component that specializes in accelerating a
particular operation. Specialization does not stop it from being programmable or flexible. A common, simplistic, and naïve
perspective of IPS implementation would assume that each protocol is hard-coded into the hardware. State-of-the-art systems
don’t do that at all. They boil down the problem into building blocks that are much more general and serve to accelerate processing
for the specific task at hand.
Beyond vulnerability filters, IPSes use network profiling to characterize a particular network environment to determine what
is “normal” behavior in that environment. Deviations from what is normal (without any knowledge of an exploit or vulnerability)
can be alerted on, blocked, or throttled. Protection based on deep understanding of baselines and changes in network behavior
is proactive by any definition.
Intrusion prevention has reached the point where the technology has been tested extensively and is now broadly deployed by
hundreds of Fortune 500 customers worldwide. Talk to them. Start at the very top of the list.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
