Intrusion Prevention Systems: Excerpted from security focus maillist

I have the impression that some of the alternatives to IPS you mentionedare actually part of the IPS technology arena. A strict definition of whatintrusion prevention systems comprise does not exist, and as such the namein itself also applies to e.g. firewalls. There is a large market theatrein which different types of IPS technologies are currently being deployed,with varying degrees of succes. Parts of the market have matured (networkfirewall solutions), while some are still considered "difficult"implementations (in-line protocol decoding and blocking/active response--which most people consider IPS).

Some of the well known alternatives:
- Intrusion Detection with human responseIn large networks, an often deployed technology at this time isimplementation of intrusion detection technology (both host- and networkbased) in combination with 24hr response. Events are flagged by securityengineers in real time, tickets are created and followed up as soon aspossible by the necessary incident response personnel. Detection of events, in such case, is often outsourced to a service provider, so thatthe organization can focus on responding to the threats reported.

This is a very effective framework due to the fact that it can be used totrigger on both known (network IDS), and unknown (network anomalydetection, host IDS) attacks. Physical security principles dictate thatnot all attacks can be prevented in each specific situation. What isimportant, is that we detect when an attack takes place, and have thenecessary capability to respond and eliminate the threat at hand. This isthe main reason that even though bank doors have advanced locks, theystill have systems which detect when the door opens outside of businesshours.

- Host based exploit prevention (e.g. address space randomization,non-executable pages)
While the thought given to designing these solutions is often intense,they still tend to be easy to implement -- provided only a limited numberof applications needs to be supported on them. Due to the fact thatmost of them change the reference monitor used to screen events, they dotend to decrease overall performance of a system. Logging is oftennon-existant or difficult to centralize, and most of the softwaresolutions in this field have had a troubled youth (the initial version ofstack protection on Windows 2003 was defeated fairly quickly, as well asmany others). This type of software is usually very helpful in stoppingstock exploits, but may not be as secure against an attacker with enoughresources.

- Application Firewalls (e.g. DMZ/Shield, Interdo, Appshield)
One of my personal preferences. While I must admit that I work for acompany which develops one of these solutions, application level filtershave always been an effective method to scrub inbound traffic. Whencorrectly configured, these tools can truly limit traffic for backendservers to those sessions which do not contain malicious content, or atleast malicious content which will not affect those servers. Main issuehere is that configuration requires in-depth knowledge of the protocolsaffected. When knowledge is lacking in this perspective, configurationwill be less than ideal. As such, this type of technology shouldinherently be deployed in combination with a professional audit of thepolicies. For most protocols and applications, these solutions arescalable, as they can be combined with other load balancing solutions(e.g. content switches for HTTP, round-robin DNS for SMTP).

- Host based Firewalls
As most operating systems have built in packet filtering tools, theseshould actually be part of hardening methodologies for servers. However,they do not block any application level attacks, and deployment for clientmachines could prove difficult. Centralized policy management is arequirement, but not always feasible due to different LAN locations anddiffering connection patterns between hosts. This type of protectiontends to scale really well on well-structured networks. Networks withlarge amounts of legacy operating systems are not commonly consideredsuitable implementation beds without some prior review andrationalization.

There is no one solution which meets all needs, and depending on theassets you are trying to protect, any or none of the above combinationsmay be sufficient. I do believe it is at all times important to make surethat each of the prevention, detection and response bases are covered. In order to protect our infrastructure, we initially need to prevent peoplefrom getting in (using IPS: firewalls for network border controls,application firewalls for application level screening). We also need toidentify people who are trying to get in (usually solved with acombination of host- and network IDS). Last, but not least, we need torespond to any incidents which may still occur (incident response). IPS has its place in the incident lifecycle, but it should not be seen as aone-size-fits-all solution, if your assets are truly important to you.

To compare this to physical security: We need a good lock on our car tokeep thieves out. We also need an alarm to tell us somebody is trying toget in, and we do pay taxes to have police available who can catch the carthieves and prevent similar thefts from occuring in the future(deterrence).

Cheers,Maarten