Midsize enterprises are disenchanted with the performance
of intrusion detection products and as detection fades
away and prevention gains in importance, security
vendors are re-labeling their products. But have the
products themselves changed as quickly as the product
literature?
Gartner
believes there are three mandatory requirements that
an intrusion prevention system (IPS) must meet for
network-based and host-based capabilities. These key
criteria include:
| • |
An
IPS must not disrupt normal operations.
Normal network traffic and host-based processes
should operate identically, whether an IPS is
running or not. Blocking actions must occur in
real-time or near real-time, with latencies in
the range of tens of milliseconds, not seconds.
|
| • |
An
IPS must block malicious actions using multiple
algorithms.
Although IPSs must include signature-based blocking
of known attacks, they must also provide blocking
capabilities that at least support policy, behavior
and anomaly-based detection algorithms. These
algorithms must operate at the application level
in addition to standard, network-level firewall
processing. |
| • |
An
IPS must have the wisdom to know the difference
between attack events and normal events.
As IPSs mature, they will be able to positively
identify and block higher percentages of attacks
than today’s first-generation IPSs do. However,
they will never be perfect, and it will remain
necessary to flag suspicious activity for further
human intervention. |
Host-based
Intrusion Prevention
This technology can apply policies based on pre-defined
rules or learned behavior analysis to block malicious
server or PC actions. Host-based software that simply
locks down the host and only allows certain applications
to execute does not meet Gartner’s criteria
for host-based intrusion prevention, because it does
not protect against flaws in permitted applications.
Network-based
Intrusion Prevention
Firewalls and gateway antivirus systems are examples
of first-generation, network-based IPS. However, firewalls
primarily operate at the network protocol level, and
antivirus systems largely implement simple, reactive
(not real-time) signature-based detection and blocking.
A true network-based IPS must:
| • |
Operate
as an in-line network device that runs at wire
speeds. |
| • |
Perform
packet normalization, assembly and inspection. |
| • |
Apply
rules based on several methodologies to packet
streams, including protocol anomaly analysis,
signature analysis and behavior analysis. |
| • |
Drop
malicious sessions; not simply reset connections.
|
As
processing power and security algorithm performance
increase, intrusion prevention will grow in importance,
while intrusion detection will shrink. However, through
2006, midsize enterprises will need to deploy a combination
of both capabilities to meet security best practices.
Delve
further into security issues with Gartner analysts,
technology vendors and your peers at the next Midsize
Enterprise Summit through Breakout
Sessions, One-on-One
Meetings, Boardroom
Appointments and Peer
Exchange Workshops.
Click
here to qualify to attend as
our guest now.
Reference
Research
Note
Defining Intrusion Prevention
Published: May 29, 2003
Authors: John Pescatore and Richard Stiennon, Gartner,
Inc. |
