Years ago, there was a TV commercial where two people—one eating chocolate and the other peanut butter—crash into each other and combine the two to form the Reese’s Peanut Butter Cup. A similar collision has occurred in the world of computer security, only this time it’s the personal firewall and intrusion detection system (IDS) that have collided to form the intrusion prevention system (IPS).
Malicious attacks on business-critical applications have become a fact of life for today’s IT managers and CSOs, and the need to protect our networks from the endless stream of hacker and code attacks has risen dramatically. As a result, we employ preventive measures that may include sound security policies, well-designed system architecture, properly configured firewalls and strong authentication programs. Although these tools are helpful, they may not be sophisticated enough for today’s breed of attacks. Enter the IPS.
When you combine the blocking capabilities of a firewall with the deep packet inspection capabilities of IDS, you get a new hybrid security tool, referred to as an IPS. Intrusion prevention systems come in two flavors—they can be either network-based (NIPS) or host-based (HIPS). These tools function in much the same way as an intrusion detection system does except that when an event occurs, they actually take action based on a prescribed set of rules rather than just alerting you to the fact that something has happened.
The job of an NIPS is to protect the entire network, although these tools are usually very conservative in the traffic that they block. Discerning which actions are malicious attacks as opposed to normal activity is an onerous task. As a result, in order to retain normal network activity, an NIPS is more lenient in its culling process. An HIPS may be a better solution since it offers more effective protection than an NIPS.
The following products are just a small sampling of the many available host-based intrusion prevention systems on the market today:
- Border Guard by Latis Networks (aka Stillsecure) is an example of a modern-day, feature-rich intrusion detection and prevention system (IDS/IPS). Designed for Windows-based computers, it offers the ability to detect, analyze and then respond to attacks. Its unique design virtually eliminates false positives inherent with many IPS or IDS. This is beneficial because it allows you to concentrate on only the attacks that pose real threats to your organization. Border Guard will function as an IPS when installed in-line (called the “gateway” mode). In this configuration, Border Guard acts as a bridge, and all traffic flows through it. For more information on Border Guard, visit www.latis.com/products/bg/.
- Prevx Home IPS does not use signatures. Instead, it monitors your system memory, registry and other critical files and alerts you to any questionable or suspicious activity, asking whether or not the action should be allowed to proceed. According to the IPS’s Web site, “Prevx Home will protect your PC against worms, Trojans, malicious spyware, malware and hacker attacks that bypass traditional security technology.” Prevx Home is designed to close the security gap that exists between when a fast-spreading Internet worm is released and when updated signatures from anti-virus vendors become available. For more information about Prevx Home IPS, visit www.prevx.com/default.asp.
Several other intrusion prevention products you may want to look at include:
- McAfee Entercept Standard Edition (www.mcafeesecurity.com/us/products/mcafee/host_ips/standard_edition.htm)
- Lucid Security’s ipANGEL (www.lucidsecurity.com/ipangel.php)
- NFR Security (www.nfr.com/solutions/sentivist-ips.php)
The bottom line is that we need to remember that there is no magic bullet with computer security. Security is a process, not a product, and it necessitates a commitment of time and effort, as it requires a continuous process of monitoring, maintenance and modification.
Before purchasing an IPS product, take a careful look at the functionality offered. Study the detection and prevention mechanisms utilized by the various vendors. The IPS can be considered a natural evolution of firewall and intrusion detection technology. Their proactive (rather than reactive) capabilities can help to keep networks safer from the more sophisticated attacks out there.
Douglas Schweitzer, A+, Network+, i-Net+, CIW, is an Internet security specialist and the author of “Securing the Network From Malicious Code” and “Incident Response: Computer Forensics Toolkit.” He can be reached at firstname.lastname@example.org.