Intrusion Prevention Offers A False Sense of Security
Beyond provisioning a firewall, the primary network security appliance deployed on virtually every organization’s network is an intrusion prevention system (IPS). An IPS is a network security appliance that monitors network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about that activity, attempt to block that activity and then report it.
There are two primary types of underlying technologies used in an IPS: signature-based detection and stateful protocol analysis detection. Signature-based detection uses attack patterns or signatures that are pre-configured and predetermined. A signature-based intrusion prevention system monitors network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action.
Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit the vulnerability.
Stateful protocol analysis detection (SPAD) identifies deviations of protocol states by comparing observed events with predetermined profiles of generally accepted definitions of benign activity. It’s still a signature, but IT organizations often consider SPAD to be something different all together. It reduces false positives, but provides no more protection and can still be evaded.
Both of these detection methods are based on the notion that loading a small subset (approximately 1,500) of signatures from a large (over 60,000) library is the only effective means to identify malicious activity. But this leaves an organization 97.5% exposed to the known attack methods and 100% exposed to any new, emerging threats.
To compound the problem, most organizations rely heavily on the IPS manufacturer to select the subset of signatures to load from their vast library. Obviously, network vulnerabilities vary greatly from one organization to the next, and IPSs are not designed to detect network vulnerabilities. Given that less than 2.5% of the signature library can be loaded at one time, what is the likelihood the right set of signatures will be selected?
There are other concerns as well. NSS Labs reports that 85% of the IPS signatures loaded are typically disabled from blocking due to a high false positive rate. When you consider that IPSs are marketed, sold and deployed in unintended operation mode, it’s obvious that IT organizations have been lulled into a false sense of security.
Further, IPSs are deployed at the edge of the network where traffic flows to and from the Internet. This leaves the entire inside of the network unmonitored and unprotected. Protecting only the perimeter assumes that there is no other means of entry into the network. This approach doesn’t take into account mobile devices such as laptops, smartphones, USB drives and DVDs.
This also ignores the fact that users have direct access to the Internet from inside the network, which provides an encrypted connection (i.e. HTTPS) directly into the middle of the network, and the stealthiest means (e.g. advanced persistent threats) to bypass the organization’s perimeter defenses.
When you think about the industry’s reliance on IPSs to secure networks, the approach seems so flawed that it’s a wonder that they have become such a widely used tool.
Regardless, it’s what is currently in use today and provides a very compelling argument to consider a different approach.
We’ll consider other approaches to enterprise security in our ongoing series of blog posts.
Learn more about advanced, unified security.