April 16, 2003
Move to Intrusion Prevention - Recommendations for Migration
an Analyst's Words of Wisdom
by Eric Ogren, Senior Analyst
give IT a chance to recognize attacks on the network that had penetrated perimeter firewall defenses. Scanning traffic and log files for evidence of intrusions was the only means of detecting a breech, unless a host machine failed or a denial of service (DOS) attack was successful. nIDS reported all suspicious activity to IT security teams for follow-up action to close holes in the security posture.
The explosive growth in public-protocol Internet traffic has yielded far more traffic than IT security can interpret. nIDS solutions for high traffic rates have involved incremental load-balancing equipment for extra nIDS sensors, and Security Event Management systems to reduce the size of event data reports. Additional IT staff is required to interpret nIDS reports, and the best of the IT staff is applied to simplify nIDS rules to reduce the burden of report processing.
Network security officers are evolving their nIDS strategy towards intrusion prevention techniques. Network intrusion prevention is defined by the following characteristics:
1. Prevent the network from damage by Day Zero attacks. Day Zero is the first day of a new attack where there is no attack signature to be matched.
2. Be able to proactively block identified intrusions upon IT command. This requires that the intrusion prevention product be inline with network data flow.
3. Perform at very high speeds, while introducing very low latency. This forces network intrusion prevention to be a network security device, with custom high speed ASICs and network processors the implementation of choice.
4. Network intrusion prevention must be autonomous. Sensors cannot depend on network connectivity to a management station to perform it preventive function.
Network intrusion prevention is finding traction in industries that are the focus of targeted attacks, are heavily reliant on the integrity of the network infrastructure to conduct business, and are large enough to have many points of entry into the network.
Conclusions
Intrusion prevention devices will replace network intrusion detection sensors by 2005. Today, intelligence of an intrusion kicks off corporate vulnerability management activities; tomorrow, prevention of an attack will be automatically deliver forensic evidence for signature development and legal remedies.
nIDS products will become known as a tool for regulatory compliance by the close of 2004. The installed base of nIDS product, with its ability to see network traffic, feeds security event management systems to produce reports for regulatory compliance, network audits, and forensic analysis. nNIDS is not known as a tool for active network defense.
Enterprise Recommendations
Make network intrusion prevention mandatory in front of critical data centers and Web facing application zones. The cost of a service disruption merits extra attention. The technology can be deployed widely as you feel comfortable administering it in larger scale deployments.
Provide a path from nIDS to Network Intrusion Prevention. The transition path includes product, services, and management. Complete migration from nIDS to IP technology is commonplace by 2005.
|