Firewalls and antivirus software remain necessities, but dedicated intrusion prevention products must be added to your network. Firewalls can scan for viruses in incoming mail, but can't protect against viruses introduced when an infected laptop is connected to the network. While antivirus software has been enhanced with spyware protection, it is ineffective against "day zero" threats -- that is, new threats for which no defense has been developed. Antivirus software is also ineffective against
Intrusion prevention devices are available from a wide variety of vendors. Small vendors focus on the intrusion prevention market alone and offer dedicated intrusion protection appliances. The large network equipment vendors also offer dedicated appliances and, in addition, integrate intrusion protection into switches and firewalls.
How intrusion prevention works
Intrusion prevention appliances use a combination of signature-based and behavior-based methods to detect and prevent attacks. A signature is a description of a particular attack technique. For example, phishing attempts have taken advantage of ways of encoding a URL in a mail message so that it appears to be a legitimate link. The signature provides a directive to the appliance on how to scan for this format.
New threat types are developed every day, so the appliance vendor must maintain a group of support engineers who monitor news of new threat types and quickly develop and distribute new signatures. The vendor must provide an efficient means of informing customers of new threats and updating customer appliances with new signatures with minimal delay.
Detecting threats using either signatures or behavior-based methods requires the appliance to analyze entire packets, not just packet headers. Hackers sometimes fragment packets or send them out of order to evade less sophisticated tools. Appliances must defragment packets and resequence out-of-order packets in order to analyze the entire message.
It isn't always possible to detect a threat by analyzing packets individually. Intrusion prevention appliances must monitor and track the state of all the connections passing through them. Analyzing entire packets, defragmenting and resequencing packets while keeping track of potentially thousands of connections without slowing down the network or adding unacceptable levels of latency requires custom ASICs designed for these tasks. Software-based implementations cannot meet these requirements.
Appliances must be positioned along each major link in the network to inspect and block any packet. Switch vendors have developed intrusion prevention modules that fit into switches. These can be an excellent option if the module can match standalone appliances in performance and in the range of threats they can meet.
Intrusion prevention devices -- either standalone appliances or switch modules -- must be supported by management facilities that enable network staff to monitor the number and type of threats encountered without producing an overwhelming volume of reports. Management tools must offer ways to tune the units to avoid reporting and blocking connections based on false positives, network occurrences that are not threats but appear to be.
Finally, intrusion prevention devices are only part of the answer to network threats. The user community must be trained and constantly reminded how to avoid introducing attackers, and the network staff must stay up to date on the latest threats and how to counter them.
David B. Jacobs has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
This was first published in February 2006