Prevent or deter?

Whether intrusion prevention is reality or just marketing-speak, it all comes down to a matter of trust

And in extreme cases, why not let the system pull the plug on everything? I’m sure students and faculty at the University of Texas would rather have suffered a few hours without online class registration than have their identities swiped. We accept the inconvenience caused by false positives in automated anti-virus and spam-blocking solutions. What makes this any different?

PJ: All I've seen so far are some point solutions, slide decks, and white papers. Device-managed intrusion prevention -- some refer to it as "active intrusion detection" -- is disruptive and can cause more trouble than it prevents. For example, if I'm running an attack against company XYZ, I'm going to pass myself off as something else, say a government body or university. Now I have two choices: impersonate that entity's network or, more effectively, compromise a host or three at Whatsamatta U. and use that as a launch pad for my assault. Either way, Company XYZ's active defense can only see an attack coming from What-U and block all traffic from that source, legit or not.

The problem here is that the vendors pushing intrusion prevention are missing the human element. As an admin, I want to know what's going on in my network, but I insist on having the final say about what comes through the firewall and what travels on my wires. That's a responsibility that I can't delegate to a box.

TY: But you should trust it to a box, P.J., and then hold that box’s maker responsible for keeping up with threats. You can’t make a full-time job of doing manual threat pattern recognition and dynamic response adaptation. Aren’t those ideal jobs for ultrafast modern computers and the custom chips that peek inside network packets at full wire speed? Products from big players such as Cisco and IBM and small, innovative players such as FortiNet can do far more on their own than IT typically asks of them.

It’s time to set security workers’ turf preservation and overblown worries about user inconvenience aside. Intrusion prevention solutions won’t get smarter until IT starts trusting them. There is no realistic alternative.

PJ: I'm not looking for miracles, but like our readers, I'm also not inclined to spend a lot of time on products that don't offer me some tangible return, or with fundamental architecture that leaves unaddressed large categories of vulnerabilities. The problem with relying on behavior analysis -- the popular alternative to signature-based defenses -- is that if an attack doesn't cause unusual behavior, it passes. That doesn't mean that any effort to apply behavioral analysis is invalid, just that it must be applied as part of a comprehensive approach to security.

Any successful defense will include signature-based methods and behavioral analysis as well as more traditional methods including restrictive firewall configuration and properly crafted access controls. But more importantly, an appropriate defense will incorporate an understanding of the network and the applications that run over it. After all, it's impossible to identify what's malicious if you can't tell what's benign.