Securing networks from known and unknown attacks has become increasingly challenging as networks have become more porous, intruders more sophisticated and threats more prevalent. Firewalls alone, however, are not the solution, as they are not capable of performing high-speed, deep-packet analysis

As such, many enterprises and government agencies have looked to intrusion detection systems (IDS) for enhanced network security. Yet, legacy IDS functionality is limited to only alerting security analysts of attacks after the damage has been done, rather than preventing the attacks that can cause serious business repercussions.

The true goal of threat management is to prevent attacks that can disrupt business processes and hamper availability. Detection and reaction is only the start; prevention is the critical element to the needs of businesses, and where the industry is inevitability moving.

Before organizations move forward, however, administrators should take a methodical approach to the promise of intrusion prevention. While some argue that intrusion-prevention systems (IPS) and IDS are two separate categories, an IDS should be considered a subset of an IPS. In short, being able to accurately and reliably detect attacks is necessary in order to block them.

There are two proven approaches to IPSs, and they represent two distinct sets of capabilities. A network IPS protects the network from perimeter to core, with dedicated hardware devices protecting all network traffic. A system (or host) IPS is deployed on servers and protects operating systems, critical data, applications and server assets. This article is focused on network-based IPSs, but there are just as many solid merits to system-based IPSs.

THE RISK OF BOTTLENECKS

Intrusion prevention requires in-line performance. Like a soccer goalie who must be positioned between the opponent and the goal to stop the ball from entering the net, an IPS must be situated between the attack and the network to stop malicious packets. Yet, while that positions the device for successful blocking, it also creates bottleneck risks, especially if the device cannot function at the speed of the network. In-line devices can also be a single point of failure, so they must have high availability and failover options.

Intrusion prevention also requires highly accurate detection. If a goalie cannot accurately see (or detect) an opponent, the chances of blocking him are infinitesimal. The same rings true for an IPS. If an organization's IPS solution has trouble discriminating between normal traffic and attacks, legitimate traffic could be blocked due to false positives.

The ability to selectively block attacks is also of paramount importance. Carefully making adjustments to blocking criteria over time can help better manage overall risks. As administrators feel comfortable with an IPS solution, they can begin blocking more attacks with a higher comfort level and control, rather than taking an "allor-nothing" approach.

This administrator or "goalie" is a specialized position played by someone with specialized skills. Similarly, an IPS should be purpose-built, not a general purpose PC.

Some vendors suggest that intrusion detection and intrusion prevention are two entirely different functions, requiring two different devices. There may be no technology advantage to separating preventative action from detection, however. Adding an extra device can even add the potential for error and increase the risk of hardware failure, with possibly no opportunity for performance improvement. Intrusion detection can be an integrated component of the IPS offering to deliver a more complete solution.

Intrusion prevention is not a preset or all-or-nothing proposition. Selective blocking allows administrators to manage and adjust their criteria based on their confidence level with an attack and its level of severity.

THE LAYERED APPROACH

Intrusion prevention also is not merely "modify firewall rules" or transmission control protocol resets. The intrusion, with those kinds of simplified approaches, will not be prevented, thus providing a potentially ineffective approach for enterprise-class prevention.

As threats become more sophisticated and prevalent, enterprises are adopting layered approaches to stop the threat. From firewalls and perimeter appliances to host-based solutions that protect critical systems, a multitiered approach can reduce the likelihood of successful attacks and their potential damage.

While a network IPS requires in-line performance, such a deployment carries a unique set of choke-point risks, from latency to a device becoming a single point of failure. General-purpose PCs loaded with thick operating systems are at a significant disadvantage as to the rigors of in-line performance. Purpose-built hardware designed for comprehensive, high-speed operation with low latency is needed.

Solutions with a high rate of false-positive results and false negatives are unsuited for comprehensive blocking. There have been multiple competitive bake-offs in the IDS space that can help to differentiate solutions based on their accuracy. These help provide organizations with the information to identify solutions that will not block waves of essential data, such as customer orders, that may be wrongly determined to be false positives.