Prevent or deter?

Cybersecurity may not be on everyone's mind at every waking moment, but that doesn't stop the evolution of defensive measures. Intrusion prevention technologies are the latest outgrowth of attempts to thwart those bent on subverting -- or at least disabling -- enterprise networks. Test Center Technical Director Tom Yager and Senior Analyst P.J. Connolly square off over the value of intrusion prevention systems.

TY: At a time when a desktop PC can outsmart a human chess master, it seems ludicrous that network security remains a largely manual endeavor. Systems, software, and appliances are getting smarter by the day at spotting patterns of access that point to the risk of intrusion. Yet IT seems reluctant to take the next step and grant intelligent assets the right to protect themselves. Instead, the intrusion prevention system in place at most companies is flesh and blood, not silicon. It no longer makes economic sense to pay someone to sift through access logs and shag pager alerts.

Outsourcing isn’t the answer here. Automation is. I realize, P.J., that you’re part of the cadre of warlocks that has an interest in keeping security mysterious. But your secret is out: Much of what consultants, in-house security teams, and outsourcing firms do can -- and should -- be automated. Having your router page you at 3 a.m. to ask, “Someone’s pointing a gun at my head -- is that bad?” might feel like job security. In reality, it’s no kind of security. I’m not saying that companies don’t need security brains, I just think they’re too often wasted fighting fires that could put themselves out.

PJ: Tom, I think all the extra travel you've been doing lately has softened your brain. The way networks are built and applications are designed means that it's impossible to prevent intruders from entering. Well, there is one way -- unplug your WAN link. I know that sounds like a joke, but I'm dead serious. In the event of a network penetration, the single most effective countermeasure is to apply wire cutters to all data cables entering the facility. Unfortunately, that's a hard pill to swallow.

But there's not much else that one can do to "prevent" a networked intruder. Data networks aren't like physical structures that can be defended with a big dog, razor wire, and a shotgun. Even the most restrictive firewall policy is going to let some kinds of traffic through, and intruders simply have to disguise their packets as valid ones. After all, it's not as though businesses can block ports 80 and 443 -- those reserved for HTTP and HTTPS -- for any length of time, no matter what the threat may be.

TY: We agree on that point: Every asset on the Internet will get hacked or at least sniffed. But that fact leads too many IT people to make the illogical leap that they should focus their efforts on post-mortem dissection. In other words, identify the door through which the network has been already breached and close it.

The fear is that an automated intrusion prevention system will inconvenience users. Humans are in the loop precisely because a company can’t afford to take its entire Web, e-mail, or file/print operation offline in response to a suspected attack. But it isn’t an all-or-nothing deal. An automated security system needn’t shut down all traffic on a given port every time it senses trouble. It can selectively cut off only vulnerable services such as Web-based administration and remote database access.