Intruding on the bottom line
- Article 2 of 33
- SC Magazine, July 2006
Are intrusion prevention systems worth the effort of managing them? Or can you get away with a good firewall? Rob Buckley investigates
Page 1 | Page 2 | Page 3 | All 3 Pages
Cal Slemp, vice-president of IBM's security and privacy services division, says the company believes the environment has shifted. “We are seeing organised, committed and tenacious profiteers enter this space. This means that attacks will be more targeted and potentially damaging.”
The attacks are mostly being targeted at high-profile companies, such as Google, but companies that operate in lucrative market areas such as finance are being targeted as well. Peter Rendell, CEO of IPS vendor Top Layer, says many of these attacks are variants on an older theme: “They're usually extortion: we'll take your site down if you don't pay a ransom.”
He recently installed an IPS at a major telecoms client that was worried about bandwidth being siphoned off and used for other people's profit, typically in VoIP schemes – a variant on a common technique used against telecoms firms in the 70s. “Google pays millions each year for its bandwidth. It stands to lose that if others steal its bandwidth,” he explains.
While the need for a working intrusion prevention system might therefore exist and be growing as attacks become more sophisticated, the question still remains as to whether the latest IPSs are capable of defending against them.
Certainly, the systems at the very high end can provide very powerful defences against attackers, but for the mid-range, some doubt remains. The Information Security Forum's Wilson believes his research suggests that, while IPSs have improved, they still don't have what it takes to provide cast-iron protection against attacks.
“The thinking with IDS and then IPS seems to be of ‘jam tomorrow'. But it has never worked quite that well.”
As high-end attackers begin to use a blend of techniques, including social engineering, and more and more legitimate traffic travels through the web server port 80, thanks to web services enabled, it's far harder for IPS to provide complete protection without having to perform in-depth scans of traffic content.
While computing power has increased, being able to cope with the amount of data that might arrive down a gigabit Ethernet connection is still more than most systems can cope with.
Both vendors and analysts agree that expecting an IPS to defend against everything is impossible. Indeed, in many cases, all that should realistically be expected of an IPS is the ability to block the majority of attacks, warn of other potential threats and maintain a forensic log in case of penetration.
“Some things could well get through,” admits Cisco security consultant Kevin Regan. Although Cisco's host-based IPS, the Cisco Security Agent, has a good track record of protecting against zero-day attacks, he warns that it's difficult to make any predictions. “There are hundreds of thousands of viruses out there,” he explains.
Page 1 | Page 2 | Page 3 | All 3 Pages