Professional Documents
Culture Documents
Intrusion Prevention Systems (IPS) : Par T One
Intrusion Prevention Systems (IPS) : Par T One
European Headquarters
Asia/Pac Headquarters
Japan Headquarters
4810 harwood road san jose, ca 95124 usa tel +1.800.379.4944 tel +1.408.979.6100 fax +1.408.979.6501
www.securecomputing.com
east wing, piper house hatch lane windsor sl4 3qp uk tel +44.1753.410900 fax +44.1753.410901
801 yue xiu bldg. nos. 160-174 lockhart rd. wanchai hong kong tel +852.2520.2422 fax +852.2587.1333
level 15 jt bldg. 2-2-1 toranomon minato-ku tokyo 105-0001 japan tel +81.3.5114.8224 fax +81.3.5114.8226
2003 Secure Computing Corporation. All Rights Reserved. 08/14/03 and SCC081403. Secure Computing, SafeWord, Sidewinder, SmartFilter, Type Enforcement, SecureOS, and Strikeback are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Firewall, Sidewinder G2, G2 Enterprise Manager, PremierAccess, MobilePass, Power-It-On!, enterprise strong, On-Box, Plug into a positive Web experience, and Protecting the worlds most important networks are trademarks of Secure Computing Corporation.
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Abstract
Protecting networked applications from attackers that threaten application availability, data-base integrity, data-presentation integrity, and data privacy is on the forefront of IT security professionals' minds today. The term Intrusion Prevention has recently moved to the top of the buzz-factor charts in the security world, hence most security and IT professionals are becoming interested in learning more about it as quickly as possible. To begin understanding what the buzz about Intrusion Prevention is really all about, we need to begin by agreeing that the term itself can mean different things depending upon who is doing the talking. Remember SSO, PKI, and IDS? Todays high buzz-factor three letter acronym, IPS (Intrusion Prevention System), joins a long line of next-generation security-technologies that promised to lead us to a higher level of security nirvana and peace of mindso be advised. Because of the confusion around the term Intrusion Prevention, it is important to organize and accurately describe the role and capabilities desired in order to understand what problems an Intrusion Prevention product might solve. This roughly breaks down to where in the network intrusions are prevented and how. There are basically two types of Intrusion Prevention being discussed in the market place today: host-based and inline (network-based). This paper deals exclusively with the notion of inline security. The paper also discusses the nature of known and unknown threats and how dealing with both is the ultimate goal for IT security. Dealing with known application-specific threats is the focus of Intrusion Prevention, and preventing both known and unknown threats is the focus of Application Defenses, a term we also discuss in this paper. The goal of this paper is to offer insightful views of new terminology in the context of evolving applicationlevel threats and the long list of both legacy and new security products that are re-shaping quickly around the terminology. The paper provides common-sense clarity and is written for busy security and IT professionals that need to quickly find their way though the latest hype to determine what, if anything, to do about it. It concludes with five simple ways to evaluate new emerging vendors and their proposed security solutions for any type of organization.
TA B L E O F C O N T E N T S
Summar y of key points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 So, what then should organizations do to qualify their needs for Application Defenses and Intrusion Prevention? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Intrusion Prevention: revolution or evolution? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 IT security is evolution by definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 The obvious need behind the Intrusion Prevention hype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 IT security ultimately needs to provide protection against known and unknown threats . . . . . . . . . .6 Characteristics of new application-level attacks that are driving security technology innovation . . .7 What is an Intrusion Prevention System? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Intrusion Prevention Systems (IPS) defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 What do the analysts say about IPS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Intrusion Prevention signals evolution from a reactive to a proactive security model . . . . . . . . . . .8
Whats out there now and what can it do for meor not? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Products currently available trying to provide parts of Intrusion Prevention . . . . . . . . . . . . . . . . .9 The security market is segmented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Developing an Intrusion Prevention System is not an easy task . . . . . . . . . . . . . . . . . . . . . .10 The IPS buzz word is closely associated with new emerging companies and products . . . . . . . . .10 What about IDS (Intrusion Detection Systems)? Emphasis on performance Trade-offs with ASICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Application Defenses defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 What are Application Defenses? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Why firewalls with Application Defenses are the home for IPS . . . . . . . . . . . . . . . . . . . . . . .14 The state of IPS technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Long-term goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Challenges to reaching these goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 A pragmatic view of the future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Evaluating options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Security matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Current investments matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Track record matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Relationships matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Your needs matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Glossar y of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
So, what then should organizations do to qualify their needs for Application Defenses and Intrusion Prevention?
Talk to the security vendors you trust and with whom you have a strong relationship and discuss their thinking about and their roadmap for Application Defenses. Have them help you distinguish between the hype and the reality. Understand technically how their product might protect your network against new emerging threats in practical context. For example: ask how your offering could potentially stop the Code Red, Nimda, or SQL Slammer of tomorrow. Move cautiously before putting an unproven system into production. Experiment with new entrant products in a lab or in front of non mission-critical networked applications.
4
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Introduction
Intrusion Prevention: revolution or evolution?
The security term, Intrusion Prevention, that has recently shown up in the lexicon of the security industry is certainly more than a magic marketing incarnation. However, it is definitely not describing a revolutionary new security technology. To describe Intrusion Prevention as revolutionary, one would have to have a limited view of the security products market. Intrusion Prevention, as understood in this paper, encompasses aspects of many well-known, existing security technologies including anti-virus, intrusion detection, firewall, and employee Internet access filtering (to name just a few of the most obvious examples). Therefore, as much as some marketing professionals will try to make you believe that Intrusion Prevention is the next great leap forward, revolutions rarely occur in the security world. Rather, evolution is clearly the more dominant method of change. And, even when new security technologies do occasionally demonstrate seemingly solid evidence of being revolutionary, which does happen of course, the technologies rarely succeed in the real world. Such is the world of IT security. This recent morphing of various security concepts, technologies, and terms into Intrusion Prevention is worth paying attention too, but dont look for the world to change too much in the immediate future as a result.
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Business-line managers are pushing for more open access to corporate applications in efforts to achieve higher productivity. Extranet access points via IPsec and the so called client-less VPNs are being hooked-into network perimeters to extend services to an increasingly mobile and distributed work force. The consumer is experiencing hacker-induced denials of service to online store fronts causing frustration and lack of confidence in doing transactions on the Internet. Credit cards numbers and other private data are also being stolen. Wide spread public privacy concerns have spurred new regulations in the healthcare and the legal communities, including HIPAA (Health Information Portability and Accountability act), Graham-LeachBliley (GLB), and Sarbanes-Oxley, to name a few examples. Lawmakers are requiring more accountability from those who are required to provide information security and privacy. As a result of the demand to protect our systems, companies and government agencies are highly motivated to address the issue. Established security vendors in the firewall and IDS segments are examining their products and rethinking their messaging. Companies that build Web farm High Availability (HA) load-balancing systems are even being encouraged by some market forces to see what they might have to offer to address new threats to networked applications. New companies are also emerging (pre-IPO) with products intended to provide quick, singular fixes. The intentions are generally good and progress is being madebut an overriding solution is not yet here. This paper discusses the progress and the limitations of what is available today, as well as discusses whats needed for a true, all-encompassing solution in the futureand what is needed to get us there.
IT security ultimately needs to provide protection against known and unknown threats
As new threats evolve, security professionals must face challenges on several fronts: 1. Provide protection against known application-specific threats slipping through commodity firewalls that cant see application-specific attacks (Intrusion Prevention). Anti-virus gateways supported by virus signature databases and update services provide some protection today, but more is needed. 2. Provide more granular filtering protections for all protocols, not just HTTP (multi-protocol Intrusion Prevention). Some of these types of threats are currently being addressed by hybrid-application proxy firewalls. 3. Solve the high instance of false-positives and false-negatives associated with the IDS solutions of today. Leading IDS vendors are working aggressively to address current shortfalls. 4. Provide application-specific filtering, blocking, and validating techniques with granular content controls for the purpose of eliminating as many known and unknown attacks as possible. Purpose is to reduce the risk of unknown threats becoming the next known Code Red in the news (Application Defenses). Hybrid firewalls, capable of layer 3 to layer 7 security mechanisms will provide the most likely foundation for progress here. 5. Scale for high-bandwidth requirements. Progress here will include performance improvements in off-the-shelf hardware, programmable network interface cards, ASICs-based (application-specific integrated circuit-based) gateways, and better management tools for high-capacity clustered gateway solutions. These objectives pose a tall order and the industry is part of the way there. Some systems are in place now to address portions of items 1, 2, and 3, and certain models in existence today provide the frame work for addressing items 4 and 5. Making progress in all of these areas will be an evolutionary process, and our intent in this paper is to provide insight into what is available today (pros and cons), and how the evolution to the next level is likely to develop in the future.
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Characteristics of new application-level attacks that are driving security technology innovation
Security systems are being pushed forward because e-business initiatives are stretched beyond their natural capabilities. This stretching has left systems and applications open to hackers discovering and then exploiting newly discovered weaknesses within the applications client-server communications processes. Hackers have proven that it is not that hard to find a plethora of vulnerabilities to exploit in both new and older versions of applications, which exist because automated programming tools and insufficient software testing methods do not consider, for example, user inputs to Web applications to be points of vulnerability. Building into applications the capability to natively protect themselves from attack during normal use is not a strong enough objective of application designers. And because the attacks occur during normal use of the application, these application-specific attacks do not necessarily violate RFC standards, or even the protocols themselves. As a result, the attacks are often invisible to security filters in many systems and are therefore able to hide in the normal looking stream of traffic. This new evolution in attacks is clever, application-specific, and very hard to notice as an anomaly in what appears to be completely normal traffic going by.
Even more simply put, Intrusion Prevention is specifically targeted at finding (detecting) and then stopping (preventing) publicly known yet stealthy application-specific attacks. The term Intrusion Prevention System itself is used to combine (or unify) both the concept of a detection system and the concept of a prevention system under one construct. It is important to note the definition only addresses known attacks.
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Over the past number of years, the industrys insider-threat solution focused on Intrusion Detection (IDS), but efforts there have proved to be disappointing to some degree (more on this later in the paper). The outsiderthreat solution has focused on firewalls, but efforts there by the commodity firewall manufacturers obsessed with performance over security as their key differentiator have proved to be disappointing as well. Carnegie Mellon Universities CERT Coordination Center has had this to say about stateful inspection technology: The principle motivation for stateful inspection is a compromise between performance and security. Source: Security RequirementsDesign The Firewall System CERT Coordination Center, Carnegie Mellon University
Whats out there now and what can it do for meor not?
Products currently available trying to provide parts of Intrusion Prevention
As weve said, many are questioning whether Intrusion Prevention is a product and if it is ready for prime time. All security products are designed to help prevent some aspect of an intrusion attempt. The term Intrusion Prevention can be considered a broad concept that unifies a number of the features found in traditional anti-viral, firewall, and intrusion detection products. The need for a proactive defense, to thwart targeted and opportunistic attacks on the enterprise and its applications, has not changed. But as weve indicated, no single product can currently provide this level of defense. So, then, what is availableand what are the benefits and drawbacks? We will address this question in the sections below.
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
For various reasons, all of these solutions work well enough together to be considered generally effective against a large number of known threats. As a result of their deployment, the externally visible (exposed) profile of networks is reduced by: 1) making it harder to tell what computers are present 2) making it tougher to probe for vulnerabilities 3) creating a single point of entry and exit for monitoring.2 According to the 2003 CSI/FBI Computer Crime and Security Survey, 99% of survey participants used anti-virus products and 98% owned a firewall, while 73% had an active deployment of intrusion detection capabilities.3 However, all of these tools lack the integration and capabilities to cover the entire risk profile of publicly exposed business applications for one specific reason: they are unable to defend applications from many new unknown attacks that reveal themselves over time.
9
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
The IPS buzz word is closely associated with emerging companies and products
There are a number of emerging new security companies (all pre-IPO) focusing their message on Intrusion Prevention, but again, most are only for one protocol: HTTP. Many traditional multi-protocol security gateway companies (firewall, anti-virus, IDS), are adjusting their marketing/positioning as a result, and some of them claim to be building new technology. IDS vendors are claiming to be building firewalls. Load balancing systems companies are being talked about like they could be Intrusion Prevention Systems some day. There will likely be mergers, acquisitions, and the inevitable liquidations coming in the near future to this new Intrusion Prevention area of the IT security market place. As just mentioned, a small number of new inline gateway products are coming onto the market that claim to mitigate the untenable react-and-patch cycle for Web servers. These emerging new security companies are presently living on venture capital with one or two distinguishing features that may indeed solve some shortlived, known threats to specific applications, but they are almost exclusively Web-centric which means they have a long way to go to replace the technically mature and heavily deployed enterprise firewall on the network. Moreover, these types of Intrusion Prevention capabilities are not available much at all right now from the wellestablished, financially viable security companies. But, in response to this new wave of application-specific attacks and the buzz around Intrusion Prevention, these established vendors have begun to transition the way they talk about their products, whether or not their products actually prevent intrusions. Closely associated with new Intrusion Prevention features being talked about, there is a growing notion that hardware accelerated processing of security filtering is an enabler to the promises. We will talk more about this later in the paper, in particular regarding ASICs.
1 0
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one Given the present state of this emerging market, it seems there will likely be mergers, acquisitions, and the inevitable liquidations coming in the near future to this new Intrusion Prevention-labeled space. The security community most recently experienced this evolutionary market cycle with IDS (intrusion detection), the last few years buzzword. Time is going to be taken by the industry to sort things out, and during that time enterprises are well served to examine carefully what specific needs they have in the context of their own changing requirements and organizational goals.
Figure 2: IDS monitors attacks but has systemic problems not yet solved.
1 1
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Gartners Research Director, Richard Stiennon, recently announced Intrusion detection systems are a market failure, and vendors are now hyping Intrusion Prevention systems, which have also stalled. Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities.7 Indeed, intrusion detection vendors are recognizing that the buzzword IDS is no longer the darling of market commentary and trade press activities. Many IDS vendors are re-stating their mission to address Intrusion Prevention. At least one is attempting to build a firewall from scratch. Many in the IT security community scoffed at the notion of multiple technologies merging (firewall, anti-virus, IDS, etc.). Yet, Gartner is correct. The base IDS technology as a blocking and prevention solution has not fundamentally changed. Moreover, many of the types of attacks that are encoded in IDS signatures can be prevented by adding checks to application-level inspection firewalls. This begs the question: Is IDS as universal as the firewall in providing a platform for multi-layered defense in-depth? The answer to this question is clearly no, but that does not mean that the industry is rejecting IDS as a technology. The evolution of security technology moving into real-world, effective use continues just as it always has.
Emphasis on performance
The performance requirement to have hardware-assisted processing is part of the hype surrounding IPS. These technologies are useful in certain high-bandwidth, core network infrastructures, but on balance, companies evaluating vendors with ASIC (application-specific integrated circuit) components should understand that just because a company claims to utilize a special processor does not mean that it will be able to provide the ability to quickly deploy comprehensive and extensible policy enforcement, or Application Defenses for that matter. In fact, the opposite may be true. The solution could be extremely limited. For example, there is a vendor recognized as one of the leaders in the firewall appliance market who has recently acquired an IDS vendor, yet their firewall appliance feature for protecting against malicious URLs is limited to 16 malicious URL string patterns, each of which can [only] be up to 24 characters long.8 This example demonstrates that even though a vendor owning both ASICs technology and intrusion detection technologies does not mean they are eligible to replace more flexible software solutions for all product usage scenarios, in particular Application Defenses. To re-enforce that point further, be aware that this vendor has also had several significant vulnerabilities against their products.9 The point is that they have other more serious limitations beyond ASICs that are unfortunately shared by most other commodity firewall competitors as well. These commodity firewall providers have not yet delivered an architecture that will itself not introduce vulnerabilities into the networks where they are trusted to be deployed.
Tr a d e - o f f s w i t h A S I C s
When evaluating vendor claims with regard to ASICs, organizations should realize the trade-offs. ASICs are hard-coded. The core logic of an ASIC is generally unable to be updated by software, meaning many of the vendors using them cannot extend the core logic. When additional checking, memory, or other requirements meet a hardware change, users have to purchase a new box. ASICs are expensive. Security flaws and or feature enhancements to hardware cant be fixed without a forklift upgrade. ASICs are limited. ASICs are not so useful for certain types of security checking. For example, if a virus scanning engine is being deployed in a gateway to scan file attachments, ASICs dont provide much value as the packets have to be assembled and the file attachments run through the scanner either via disk or memory, not in ASICs.
1 2
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Application Defenses
1 3
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Why firewalls with Application Defenses are the home for IPS
Firewalls are often the first line of defense. The goal of a firewall is to knock down things that are generic and opportunistic, not just at the network level. Firewalls have proven very successful at this, particularly when layering stateful inspection and application proxy-based approaches. Today the traditional firewall vendors are recognizing the need for more thorough checking of application-level policies in order to eliminate the threat of attacks that use business applications basically against themselves. This means proxies, although in the past many firewall vendors lacking these capabilities tried to make proxy a dirty word. Yet recently, the same vendors are cloaking their own new use of proxies under fancy marketing jargon. Their anti-proxy rhetoric of the past is now coming back to challenge them. If stateful packet inspection firewalls were presently delivering the same level of application-specific checking as the newly emerging IPS solutions claim to, there would not be these new market entrants based on proxy technology being installed on networks behind or around already deployed commodity firewalls. This is not to say that proxies have solved all of the requirements of customers, yet they provide the most proven Application Defenses of today and they offer a solid foundation to build on for the next generation of Application Defenses in the near future. In the broad market (from consumer user to Fortune 500) people have assumed the words stateful inspection to equal firewall. However, because of the need for tighter protocol validation, traditionally provided by proxies, the concept of Application Defenses with Intrusion Prevention will include both proxy and stateful inspection technology. This is the perfect opportunity for IT security professionals to reacquaint themselves with the additional security capabilities of proxies. For example, an administrator is running T.120, a broad protocol used to support data conferencing services such as chat and white boarding (e.g., Microsoft NetMeeting). A hybrid firewall vendor (one that provides both proxies and stateful packet inspection) has a T.120 proxy that enforces controls on what specific T.120 services are allowed.10 The organizations security policy may allow whiteboard and chat, but not desktop sharing. In a stateful packet inspection mode of operation this would not be possible. Likewise, traditional IDS can only look for specific signatures or use a statistical baseline to generate errors. The use of application layer proxies in this scenario completes the other technologies to provide a robust solution. There are a few additional product segments attempting to address Intrusion Prevention. For example, some Layer Seven Switches have the ability to inspect the URL to direct particular requests to specific servers based on predefined rules.11 This technology plus the switchs unique location in the network have certain advantages that might be used in future, for more security-focused offerings. From a users perspective, though, it is not clear how focused the vendors that make these products are to integrating with other solutions beyond the basics of today or how they will provide Application Defenses.
1 4
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Long-term goals
In the future, an inline security gateway solution should achieve these goals. The ability to detect and prevent attacks based on logical or physical use of multiple enforcement technologies. Broadly, this includes the ability to prevent both known and to some degree unknown attacks using Application Defenses. The ability to interoperate with deployed security infrastructure for the purposes of supporting data collection, electronic evidence, surveillance, and regulatory compliance as needed. The ability to not disrupt business operations because of lack of availability, poor performance, false positives, or inability to interoperate with required authentication infrastructures. The ability to support IT Security professionals in delivering their organizations risk management plan, which includes the cost of implementation, operating, and work outcomes from the alerts and reporting from the system.
1 5
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Evaluating options
Here are five things you should consider when evaluating Intrusion Prevention solutions.
Security matters
Does the product being proposed as a solution have a history of security vulnerabilities? Do they have 12 of the things you are already implemented plus 2 that you have not? What is the differentiation, specific to your risk profile? Do they have any Application Defenses?
Tr a c k r e c o r d m a t t e r s
What is the history of the company that purports to defend against intrusions? Have they recently been acquired by a larger firm or are they being targeted for an acquisition? Either situation could drastically affect you. Are members of their management recognized for security expertise? Is the vendor that proposes a solution profitable, or at least cash-flow positive? Do they have sufficient access to capital to fund their business plan? Are they actively trying to reinvent themselves? Is the story consistent?
Relationships matter
Integration with monitoring, alarming, reporting. Are there third-party relationships for monitoring, reporting, and authentication that support your major enterprise requirements? Do they have relationships with the vendors with whom you are already significantly invested?
1 6
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
Yo u r n e e d s m a t t e r s
Does the vendor understand requirements for third-party certifications that others in the industry have achieved? e.g. Common Criteria. Do they understand the regulations that you must comply with? e.g., Graham-Leach-Blily (GBL), Sarbanes-Oxley, or HIPPA. Are they trying to sell you a box or a solution?
Glossar y of terms
Application Defenses
Application Defenses are application-specific filtering, compliance validation, and automated response techniques with granular content controls that deliver policy-based enforcement of communications to and from networked systems for the purpose of eliminating as many known and unknown attacks as possible.
Application-layer firewall
A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application layer firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.12
Proxy
A software security agent that intermediates between a client requesting an application connection and the requested application service.
References
1
J. Pescatore, R. Stiennon. Enterprise Security Moves toward Intrusion Prevention Gartner CIO Update, 4 June 2003 Next Generation Firewalls by Fred Cohen, Burton Group Catalyst 2003 Conference, July 10 2003. Computer Security Institute (CSI). CSI/FBI Computer Crime and Security Survey, 2003, page5. Berners-Lee, T., et al., Uniform Resource Locators (URL) RFC 1738, CERN. December 1994. http://www.w3.org/Addressing/rfc1738.txt
2 3 4
1 7
W H I T E P A P E R
Intrusion Prevention Systems (IPS), part one
5 6
Secure Computing Corporation. G2 Firewall Admin Guide version 6.0: 7-20. BUGTRAQ ID 3292 Security Focus Vulnerability Database: Security Focus. http://www.securityfocus.com/bid/3292/discussion/ Gartner. Gartner Information Security Hype Cycle Declares Intrusion Detection Systems a Market Failure. Money slated for Intrusion Detection Should be Invested in Firewalls. June 11, 2003. http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp Netscreen Technologies. Netscreen New Features Guide for ScreenOS 4.0.3: page 6. http://www.netscreen.com/services/support/product/downloads/screen_os/403_new_features.pdf Netscreen. Security Focus Vulnerability Database. Security Focus. http://www.securityfocus.com/bid/vendor/ Secure Computing Corporation. G2 Firewall Admin Guide version 6.0: 7-31. Desai, Neil. Intrusion Prevention Systems: the Next Step in the Evolution of IDS. Security Focus http://securityfocus.com/printable/infocus/1670 Firewalls Direct.com. Glossary. http://www.firewallsdirect.com/store/glossary Computer User.Com Dictionary http://www.computeruser.com/resources/dictionary/definition.html?lookup=105 CMU Software Engineering Institute, State of the Practice of Intrusion Detection Technologies: Appendix A Glossary. [CMU/SEI-99-TR-028] January 2000. http://www.sei.cmu.edu/publications/documents/99.reports/99tr028/99tr028app-a.html
10 11
12 13
14
1 8