The great intrusion prevention debate

No security topic generates more spirited debate than intrusion prevention. Deployed on the edge -- and increasingly, deep inside -- the network, IPSes (intrusion prevention systems) purport to identify and stop attacks before they start based on constantly updated threat profiles. In this Point/Counterpoint, we’ve pitted Marc Willebeek-LeMair, CTO and Chief Strategy Officer of 3Com’s security division, TippingPoint, against Martin Roesch, CTO and founder of Sourcefire (and the inventor of Snort). TippingPoint’s Willebeek-LeMair is bullish on the supreme effectiveness of his IPS approach; Sourcefire’s Roesch positions IPSes, which his company also sells, as just one component of an integrated network defense system. The clash of these two partisans reveals much about the state of network protection and the rivalry between hardware and software security vendors.

Marc Willebeek-LeMair: To understand what an IPS is, you need to grasp the problem it aims to solve. Today’s cyberthreat environment is increasingly severe, compounded by the growing number of vulnerabilities that are discovered weekly, the emergence of new types of attacks (such as blended threats and spyware), the shrinking time between vulnerability discovery and exploit development, the propagation speeds of automated worm attacks, and the dissolving network perimeter.

IT security teams are overwhelmed, and traditional point solutions such as firewalls, anti-virus software, and IDSes are inadequate protection by themselves. The threat landscape is further exacerbated by the challenges involved in applying patches in a timely manner, and also by organizations that cannot enforce patch management -- universities, ISPs, and so on. What’s needed is a new type of security element that pervades the network and automatically protects organizations from a broad variety of attack types and from all potential points of attack -- inside or out.

Martin Roesch: Marc, you’ve done a great job of defining the threat environment. But the in-line network IPS as it’s implemented and deployed today provides only the most basic capability to actually address the problem. In-line IPS is positional and can only block based on threats it has a prior knowledge of or basic thresholds in flood-style DoS/worm traffic. Inline IPS requires the attacks and attackers to transit predefined choke points on the network in order for it to perform its task. Clearly, if we are to address the pervasive threat environment, then we need a pervasive system that allows us to not just block things we know about crossing discrete points on the network, but one that can also enforce network security policy by managing and reducing exposure to attacks in the first place. Blended threats require blended security systems that have more remediative options. In-line intrusion prevention is a step in the right direction, but I believe that the infrastructure itself can be orchestrated effectively to provide a much broader capability than just point defense in the face of a pervasive threat.

MWL: While I agree with your assertion that the infrastructure can be orchestrated to provide more comprehensive protection, I do not agree that IPS is simply a point defense. Unlike a firewall, IPS is not being deployed just at the perimeter, but throughout the entire network to protect the core as well as internal segments. To meet the stringent networking requirements (latency, throughput, reliability) that these core and internal network locations demand, state-of-the-art IPSes are based on purpose-built custom hardware like other network infrastructure devices such as switches and routers.