Practically speaking, this is a pretty thin layer of protection, because it has to handle client- and server-side attacks, random file formats and e-mail attachments, encryption, segmentation, custom applications, and arbitrary protocols that your hardware-based protocol analyzers cannot know how to interpret beyond a simple regular-expression-analysis capability. True proactive security means you must block identifiable threats as well as enforce security policy so as to reduce exposure in the first place -- in addition to detecting change that indicates compromise independent of threat detection. A proactive security solution should also be able to defeat a threat emerging from any point on the network, not just pre-identified ingress/egress points. Most IPS companies ignore these points, leading end-users to believe that traditional, stand-alone IPS technology is capable of proactively protecting assets throughout the network, even though they have no context about the systems they are trying to protect. This positioning is not only false; it’s unfair to the end-user.
MWL: To be as polite and as succinct as possible: You are simply misinformed. I would strongly recommend you take a closer look at the state-of-the-art IPS. You’d be surprised to find several significant differences from your perception and reality.
Very accurate filters can be written based on vulnerability information, not exploit information. That is the definition of proactive protection: customers are protected before the attack (exploit) exists in time and space. These filters precede the existence of an exploit and proactively protect against any exploit targeting that vulnerability. You are, however, correct that writing good filters takes extensive research, requires very sophisticated skills and testing, and is an enormous differentiator between the various IPS solutions that exist today.
It’s typical for software-solution vendors to misrepresent a hardware solution as fixed and inflexible. Again, this is misinformation or, in the best case, laziness. Reality is that any hardware design -- for example, a CPU -- consists of hardware building blocks like the arithmetic control unit, the floating point unit, or another component that specializes in accelerating a particular operation. Specialization does not stop it from being programmable or flexible. A common, simplistic, and naïve perspective of IPS implementation would assume that each protocol is hard-coded into the hardware. State-of-the-art systems don’t do that at all. They boil down the problem into building blocks that are much more general and serve to accelerate processing for the specific task at hand.
Beyond vulnerability filters, IPSes use network profiling to characterize a particular network environment to determine what is “normal” behavior in that environment. Deviations from what is normal (without any knowledge of an exploit or vulnerability) can be alerted on, blocked, or throttled. Protection based on deep understanding of baselines and changes in network behavior is proactive by any definition.
Intrusion prevention has reached the point where the technology has been tested extensively and is now broadly deployed by hundreds of Fortune 500 customers worldwide. Talk to them. Start at the very top of the list.
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
Recommend This
