There has been a lot of debate during the past two years about the future of intrusion prevention. Some have argued that the future of network security lies in intrusion prevention and that intrusion detection is dead. Others have made the case that detection is simply evolving into prevention. But now that prevention technology has had time to evolve, it is clear that enterprises require security that not only combines high-quality detection and prevention, but is more than just a sum of these two parts.
Once prevention is added to detection, this combination must progress on its own to become a truly comprehensive internal network security solution. You cannot prevent an attack if you do not first detect it, so the detection of attacks, anomalies and policy violations are the foundation of intrusion prevention. As detection becomes more critical to internal network security policy enforcement, intrusion prevention will drive the need for continuous improvement in the quality of detection, as well as the quality of policy enforcement management. The result will be that enterprises have much greater control over the security policy and risks within defined segments of their networks.
That said, the debate is no longer about which technology will prevail but rather how it will evolve. The future of intrusion prevention is not simply in the speed and sophistication of new hardware.
Instead, the future lies in the security content and expertise that enterprises must demand from vendors, both in the design of the products and in the security intelligence fed into the products in real time.
The evolution of intrusion prevention is shifting the focus to making smarter and more effective products that provide the knowledge to make correct decisions. IT administrators cannot afford a product that makes unnecessary mistakes. The knowledge behind the box is just as important as the product itself, so vendors must develop and be able to provide the security intelligence that is critical to making intrusion prevention a success. If security intelligence is incorporated into a sophisticated product, intrusion prevention will undoubtedly become a key component of the security architecture, just as firewall and antivirus are today.
Raising the security bar
Intrusion prevention picks up where detection technology falls short. Intrusion detection shows only that something has happened or is happening, but it does not stop it. Intrusion prevention raises the security bar by actually blocking attacks, easing the administration and management of security devices and putting control back in the IT manager's hands.
When the system is set to blocking mode, effective policy management becomes even more important. Enterprises must be able to tailor protection based on individual security policies and business requirements. A good intrusion prevention solution should provide them with the option of using either pre-defined polices or the ability to tune the policies to their specific network profile and security needs. This enables enterprises to individually control logging, blocking and response behavior per threat -- based on threat category, severity, intent, confidence rating and profile of protected resources. Enterprises should also be able to choose whether to make the policies dynamic or auto-updated, which ensures the solution is continuously updated with the most current protection against a threat outbreak.
Additionally, intrusion prevention should not only offer flexibility in creating policies for different situations, but should also simplify the process of creating and applying these policies by streamlining that process into a single step where possible. Further, tuning and confidence building is important. Policies should allow customers to gradually enable their blocking behavior through a tuning and confidence-building phase, and let them run the product in simulation mode. Rather than having to go through multiple steps when they're ready to block, IT managers should be able to enable blocking for the entire policy with just one click.
Threat defense landscape
Internet security threats are becoming faster, more sophisticated and, consequently, far more damaging for enterprises. Network worms alone have increased in frequency and complexity, and are the fastest propagating threat within the enterprise because they don't require user interaction. There has also been a drastic reduction in the window of time between the discovery of a vulnerability and an automated worm or attack that exploits it. For example, Blaster was introduced within 26 days of the vulnerability being discovered, Sasser in 17 days, and Witty in less than just one day.
As a result, these threats are significantly changing the way we approach network security. Historically, the focus has been on the perimeter. But today's threats demonstrate that the perimeter as we know it is deteriorating. In addition, it's becoming increasingly difficult to create a protective fence around an entire network and its users, which now extends to mobile users, VPN tunnels and wireless LANs. These provide multiple entry points for threats to gain access into the enterprise beyond the traditional firewall or gateway. Enterprises need internal network security solutions that actively stop threats from propagating inside the network.
To that end, intrusion prevention can segment different areas of the network to isolate a potential threat, ensuring that the threat does not spread through the enterprise. This is especially important for global companies, where the risk of a threat spreading worldwide could potentially cripple their business and cause millions of dollars in damage. Intrusion prevention offers superior protection anywhere you don't want to separate networks using a traditional firewall approach but want security and policy-based separation. That effectively allows an enterprise to create security zones within the extended network.
Enterprises need comprehensive solutions that can detect a threat once it breaks through the perimeter and prevent an attack or worm outbreak from occurring in the network. IT administrators need products to help them segment their networks with the confidence that they are protected from intrusions, threats or violations of policies in those zones.
Future of IPS
Not all enterprises have the security expertise or, in some cases, the personnel required for security coverage 24 hours a day, seven days a week. Intrusion prevention puts control back in the hands of administrators, and as it evolves will allow even more flexibility and control. When taken to the next level, it can also restore confidence that the enterprise is protected. This next level of security will not come from speed or fancy hardware, but will require rich security intelligence.
Security vendors must become partner in protecting the enterprise by providing regular security updates and early warning threat notification. This security intelligence, combined with technology, will allow security policies to dynamically modify the threat defense landscape and guard against the latest vulnerabilities before exploit code can potentially cause harm.
In the past, using intrusion detection alone was like driving with blinders on -- it only allowed administrators to see a narrow segment of what was happening in the network. With intrusion prevention, the blinders have come off a little. And in the future, the blinders can be removed even more by having the knowledge of what's going on not just in your network, but also on the Internet as a whole. The more security intelligence enterprises have, the easier it will become for administrators to create policies that activate the proper blocking capabilities at the right time, minimizing disruption to their networks during threat outbreaks.
In the next two years, products will become more sophisticated and more dependent on rich security content and the intelligence going into them. That, in turn, will allow IT managers to develop expectations of the benefits of intrusion prevention and make it a standard part of a secure network.
Robert Geiger is a senior director of product delivery at Symantec Corp., where he manages the development of the company's intrusion protection solutions. Prior to joining Symantec, Geiger was a primary developer, senior manager, and then director at Recourse Technologies. Prior to Recourse Technologies, he worked in the Motorola Research Labs for 10 years. During his tenure at Motorola, Geiger worked in time-domain modeling of electromagnetic fields on supercomputers at the National Center for Supercomputing Applications in Urbana. He also worked on wireless data systems, eventually helping to implement mobile-IP solutions for cellular systems before extending his work into security and wireless e-commerce and banking applications. Geiger has four issued patents.