Security landscape shifts as technologies combine

In today's era of perimeter-invading worms, malicious e-mails that don't rely on attachments, and tenacious spyware, safeguarding the enterprise demands a security framework that marshals a more sophisticated combination of technologies. A traditional firewall and an up-to-date virus scanner may no longer be enough.

But what is enough, exactly? Getting a handle on which solutions to deploy -- and where -- has become increasingly difficult, as emerging technologies have begun to overlap and functionalities have merged.

For example, if your new firewall can block application-layer threats, do you need an intrusion detection system? Should you choose a rules-based IDS, or one that uses anomaly detection to flag zero-day attacks? And when should you consider host-based security measures, or a specialized application security solution?

Naturally, the answers to these questions depend largely on the value of the assets you're trying to protect. In any case, it's critical to keep an eye on the changing landscape of point solutions. By keeping abreast of security advances, you'll be better positioned to capitalize them before newly evolving threats infiltrate your enterprise.

Firewalls and IDSes

Firewall vendors such as Check Point Software Technologies and Juniper Netscreen are touting new application-layer filtering capabilities, and these are important advances. After all, if your firewall is intelligent enough to block a DoS attack or a NetBus Trojan probe, you can rest so much easier.

Nevertheless, compared to a well-tuned IDS, even the most modern firewall is a blunt instrument -- and necessarily so. A stateful inspection firewall is an effective way to block unauthorized port traffic, defend against IP address spoofing, and thwart other, more recent types of attacks. Proxy firewalls, which prevent direct connections to hosts inside the network, provide yet another layer of protection.

But all firewalls have holes, if only because they must remain open to legitimate traffic. They can't inspect the contents of point-to-point VPN traffic, and even those that do make application-layer decisions can identify only a narrow range of threats that ride almost universally welcome protocols such as UDP and HTTP.

More and more malicious attackers are using port 80, which is almost always open between segments. In fact, if I were a malicious coder, I'd look first to port 80 -- or another commonly opened firewall port -- in order to gain entry to a network. To counter this, you need the data-level inspection that only an IDS or IPS can provide.

Detect or Prevent?

Because they can prevent malicious exploits, IPSes are outpacing IDSes as the preferred security systems of choice. After all, if an IPS can prevent an attack, why would you ever choose an IDS instead?

The problem is that many, if not most, IDSes and IPSes suffer from high percentages of false positives. And, whereas an IDS will only log a false positive, an IPS will block traffic marked as potentially dangerous, thereby preventing a significant amount of legitimate traffic from entering your network. Although vendors are working on improving accuracy, accidentally denying legitimate traffic can be even more catastrophic to your business than failing to block a malicious attack.