Three criteria for selecting the right IPS products
Expert contributor Karen Scarfone examines important criteria for evaluating intrusion prevention system (IPS) products for use by an organization.
A network intrusion prevention system (IPS) is an enterprise security control for monitoring network traffic and analyzing its packet headers and contents for signs of malicious activity or other violations of the organization's policies. When malicious activity is detected, the IPS can stop it through a variety of methods, including directly disrupting the appropriate network connections and reconfiguring other enterprise security controls to block the traffic.
IPS products are currently available in three forms:
- Dedicated hardware and software (hardware appliances or virtual appliances)
- Integrated with other enterprise security controls, such as an IPS module licensed and activated on a next-generation firewall (NGFW)
- Cloud-based service
Each of these forms has advantages and disadvantages -- as explained in the first article in this series -- that make it better suited for certain environments and situations. Unfortunately, the fundamental differences among the forms complicate the process of comparing them in order to evaluate IPS products and services.
Taking the different characteristics of the three forms into account through a small set of criteria is not feasible, so this article examines IPS provided through dedicated hardware and virtual appliances only. Some of the criteria presented in this article may also be applicable to other forms of IPS, but the criteria were not developed with those other forms in mind.
Criteria 1: Detection capabilities
IPS products' detection capabilities are usually the most important characteristic to evaluate. Unfortunately, evaluating them is challenging because detection is such a complex endeavor. Each IPS product uses a unique combination of detection techniques, because each technique is only effective at identifying certain types of malicious activity. Early IPS products relied on signature-based techniques, and while these techniques still have some value, they now work in combination with anomaly-based detection, deep packet inspection, network flow analysis and other techniques to identify both "known" attacks -- which have been seen before -- and "unknown" attacks, which are variants of known attacks or entirely new attacks.
It is important that any enterprise IPS product use several types of detection techniques to achieve broad coverage for detection, including detection of zero-day attacks (attacks that exploit a previously unknown vulnerability). In addition, it is critically important that an IPS has built-in support for the application protocols the organization uses over networks. In many cases, an IPS is the only security control in an enterprise capable of doing in-depth analysis of all these applications and identifying attacks within them. Without an IPS analyzing application traffic, an organization is more susceptible to application-based attacks.
Increasingly, IPS products are also expanding their analysis capabilities to include simulation and emulation functions. For example, an IPS may offer Web browser emulation that can be used to see what Web content will do if accessed by a user. This can uncover malware, unauthorized access to sensitive information and other potential problems that cannot necessarily be identified by the detection techniques previously described. Simulation and emulation functions are an important complement to other detection techniques.
Criteria 2: Context understanding
Over the years, technologies in IPS products have evolved to incorporate a greater understanding of context. Context, roughly speaking, is information about an organization’s assets, such as its hosts. At one time, IPS products lacked knowledge of context, such as which operating system and major applications each host within the environment was running.
When an IPS saw a serious attack against a host that, if successful, could provide administrator-level access to an attacker, the IPS would generate a high-priority alert and perhaps act to stop the activity. What the IPS didn’t know was whether the host was vulnerable to the attack. The targeted host might not have the corresponding vulnerability because of patching, configuration, etc., and the targeted host might not even be running the software that the attack is trying to exploit.
Today's IPS technologies should have much more knowledge and understanding of context. Some of this can be derived by the IPS itself by analyzing benign network activity and determining what services are offered by the organization’s hosts. Most of the context, however, should be provided by the organization itself, such as by feeding the IPS information from IT asset management systems. This gives the IPS insights into not only the components of each host, but also the host’s role and relative importance to the organization. The IPS can then prioritize events appropriately by taking the context into consideration.
Criteria 3: Threat intelligence use
Just as having context helps IPS products better understand the relative importance of each event it sees, so does using threat intelligence. Threat intelligence is information on the characteristics of threats and the attacks they perform. Some vendors specialize in threat intelligence collection and refinement, going so far as to place sensors on networks all over the world to monitor global threat activities. Threat intelligence vendors collect information on a continuous basis, so they often see the latest threats before anyone else recognizes them.
Organizations are increasingly using threat intelligence in key security controls, most notably security information and event management (SIEM) products, to improve their detection accuracy and their prioritization of adverse events. This same concept is now being adopted by IPS vendors for similar reasons. For example, suppose that an IPS sees activity that it would generally deem malicious, but it is low priority. However, if intelligence received from a threat intelligence vendor indicates that the external IP address causing the activity is associated with severe attacks against other organizations, the IPS can then assign this alert a higher priority so it will be investigated, or the threat or targeted vulnerability mitigated more quickly. IP addresses are the most common focus of threat intelligence, but URLs, domain names and other such components of network traffic may also be analyzed.
Buying IPS products: Do your homework and evaluate
The three criteria presented in this article -- detection capabilities, context understanding and threat intelligence use -- are only a small part of what should be considered when evaluating IPS products for enterprise use. In addition to these criteria and all the criteria to be considered for any enterprise security technology acquisition, organizations should also evaluate other aspects of IPS products, including the following:
- Automatic prevention techniques, such as crafting packets to terminate a network connection or reconfiguring a firewall to block a source IP address from initiating new connections
- Customization and policy enforcement capabilities; an example is being able to specify applications that the organization wants to have blocked or to restrict usage of
- Logging and reporting capabilities, especially the level of detail recorded for each event
Network IPS products are notoriously difficult to evaluate because they are addressing such a wide variety of attacks and other unwanted activity that may be carried over thousands of different application and network protocols. The IPS that offers the best detection capability for one organization may not have the best detection for another. And, of course, IPS products have many characteristics besides detection that need to be considered. Determine what is most important to your organization and focus on evaluating those characteristics in depth in order to get the solution that’s the best fit.