The SQL Slammer worm began its rampage shortly after midnight on Jan. 25, 2003. Within days, the insidious piece of code had infected more than 120,000 computers, slowed Internet traffic, crashed sites and even disabled ATMs, costing companies an estimated $1 billion in lost productivity worldwide, according to analyst firm Mi2g. The irony? Slammer exploited a vulnerability in SQL Server for which Microsoft had already issued a patch—six months earlier.
It’s not that IT administrators are lazy or negligent—it’s that locking down operating systems and applications has become an almost unmanageable job. The CERT Coordination Center recorded 417 security vulnerabilities in 1999. By 2002, there were 4,129 new vulnerabilities.
This situation makes the newest class of security technologies—intrusion prevention systems (IPSs)—look pretty good. Supplementing patches, firewalls and other traditional approaches to security, an IPS can provide security at the most fundamental levels: the operating system kernel and the network data packet. An IPS can also be cheap insurance: Host-based systems can cost as little as a few thousand dollars per server, while network-based IPS appliances typically cost between $10,000 and $90,000, plus ongoing support fees.
“It makes sense to protect the host so that if all else fails, it will have a better chance of standing alone on its own two feet,” says Bill Stevenson, information security officer for New Century Mortgage. His company has been using host-based intrusion prevention from Entercept since late 2000 as a major part of the back-field defense for its servers. So far, it’s worked: New Century’s IPS successfully repulsed Slammer.
Don’t Tell Me, Fix It!
Interest in intrusion prevention is increasing, thanks in part to a growing disenchantment with intrusion detection systems (IDSs), which notify administrators of attacks but don’t actually stop those attacks. Market maturity is also a factor, as demonstrated by the acquisition of IPS company OneSecure by Netscreen along with planned acquisitions by Cisco (of Okena) and Network Associates (of Entercept and Intruvert).
These factors should spark significant growth in the IPS space. Market research company Infonetics estimates the combined intrusion detection and intrusion prevention market will grow to $1.6 billion by 2006, with IPS accounting for the majority of the growth.
Intrusion detection vendors, such as Cisco, Internet Security Systems and SourceFire, are retooling their products to proactively stop network attacks. CheckPoint and NetScreen are adding IPS capabilities to their firewalls. And dozens of smaller vendors are touting security add-ons, secure Web servers and even ordinary firewalls as “intrusion prevention systems.”
The result is a confused marketplace. “Since there are so many different ways to detect an attack, it’s very unclear what you mean when you use a term such as intrusion prevention,” says Pete Lindstrom, research director for Spire Security, an independent analyst company.
Lindstrom and other analysts differentiate true intrusion prevention systems from older technologies, such as firewalls and IDSs, that have been updated with new “prevention” features. Broadly speaking, the new crop of IPS products fall into two categories: host-based intrusion prevention (HIP) products such as those offered by Entercept, Harris and Okena; and even newer network-based intrusion prevention appliances offered by companies including Intruvert, OneSecure and TippingPoint.
Locking Down the Host
A HIP product protects servers and workstations through software agents that sit between applications and the OS’s kernel. It intercepts system activity on the lowest level—disk read-write requests, network connection requests, and attempts to change the registry and write to memory—and either allows or denies the activity based on predetermined rules. For example, an application would not be able to modify certain files or change data in the system registry. A HIP system can also block behavior that is clearly malicious, such as rewriting OS executables. The upshot is that most security exploits simply won’t work. Attackers might be able to get through your network defenses to a server, but they couldn’t actually do anything once they got there.
For Stuart McClure, president and CTO of Foundstone, host-based intrusion prevention is a much-needed stopgap measure. Foundstone, a security software and services company, uses Entercept to protect its servers against known vulnerabilities without having to install security patches first. This lets the company test and install patches on a monthly schedule instead of rushing to install them as soon as they are released.
A HIP benefits from contextual information about the server being attacked, which can make it more efficient than blanket network security. “You can get a microscopic analysis of what’s going on,” says Ed Skoudis, vice president of security strategy for Predictive Systems, an IT consultancy that works with both Okena and Entercept. A HIP system on a Solaris box can safely ignore attacks aimed at Windows systems, for instance. And because they focus on behavior, HIP systems can resist never-before-seen attacks, whereas network-based IDS and IPS systems require constant updates to identify the latest worms, viruses and exploits.
There are downsides to host-based intrusion prevention, however. It’s useless against intrusions aimed at your network in general—such as denial-of-service attacks. You also need to install it on every system you want to protect, which can create a deployment headache. (HIP vendors have only recently started adding enterprise-level management tools to their products.) HIP also uses some system resources, although McClure estimates only 2 percent to 5 percent of CPU time.
What’s more, HIP systems truly are the last line of defense. “They only function when things have gotten seriously out of hand,” says Martin Roesch, founder and CTO of security services provider SourceFire. “Every car should have airbags, but wouldn’t it be nicer to avoid the accident in the first place?” Still, for providing an additional layer of security on critical hosts, HIP is a compelling option.
In general, network systems sit “in line,” intercepting network traffic, scanning it for suspicious activity, and either blocking it or passing it along. Such systems use a range of techniques, from IDS-like signature scanning (looking for telltale strings of bytes) to protocol anomaly detection (figuring out when a packet of data is trying something not ordinarily permitted by its data transmission protocol).
Some network intrusion prevention systems take more devious approaches to network protection. ForeScout’s ActiveScout, for instance, responds to suspicious activity (such as port scanning) by sending a specially coded, “tagged” response. If the attacker then tries to act on the tagged information, ActiveScout immediately recognizes that an attempted attack is in progress and can shut off the connection before any damage occurs.
Network-based intrusion prevention can be useful in situations where host-based protection is impractical and firewalls aren’t effective—for instance, against attacks that originate within your own network. University of Dayton Associate Provost and CIO Thomas Danford, like many higher education IT executives, has to deal with students bringing worms and viruses onto the internal network regularly. “Before you know it, we’ve got worms slamming around all over the place,” says Danford, who calculates that the university receives 3,200 attacks on an average day. The solution: TippingPoint’s UnityOne IPS, which Danford installed behind the firewall to shut down suspicious traffic. When the Slammer worm hit in January, says Danford, “we didn’t experience any problems at all.”
Many IT managers, however, are reluctant to trust network-based intrusion prevention, in part because of the risk of service interruption. If your IDS misidentifies legitimate traffic, the false alarm is merely annoying; but an IPS that shuts down a customer connection by mistake could hurt your bottom line. “When people need to get to your system to trade, a couple of seconds of downtime could get you a seriously irate customer,” says a chief security officer at a financial services company who declined to be named. “For automated blocking, we think [intrusion prevention] systems are not mature enough to rely on yet.”
To the extent that network-based systems rely on signatures to identify attacks, they’ll need to be updated—and they may have difficulty stopping brand-new attacks. It’s also important to consider the impact on network performance when installing an in-line system—if it can’t support your network’s maximum bandwidth utilization or introduces significant latencies, it will be a bottleneck. For that reason, many vendors are moving toward appliances (some of which support gigabit speeds), rather than software.
Where IPS Fits In
Almost no one claims that any type of intrusion prevention system will replace firewalls and other mainstays of network security outright. Instead, analysts say, these systems make the most sense as part of a layered security strategy that makes use of several different technologies at multiple points in your network.
Nor will IPS kill the intrusion detection market, at least in the short term. If an attacker makes it past your other defenses (including the IPS), an IDS provides the information you need to contain the damage and prevent future attacks.
Ultimately, predicts Richard Stiennon, a research director at Gartner, network-based IPS capabilities will be integrated into firewall appliances. The host-based IPS, say Spire Security’s Lindstrom and other experts, will likely become more agent-based, centrally managed and ubiquitous—perhaps as part of an enterprise’s overall systems management strategy. But one thing is certain: As the number of attacks and vulnerabilities continues to grow, so will interest in intrusion prevention technologies of all kinds.
“Return on security investment is something that’s very, very difficult to show,” says New Century’s Stevenson. “But you pick up the paper every couple weeks, and to know that we’ve bypassed the latest critical worm or virus that’s on the Internet—that’s return on investment.”