Intrusion prevention systems provide an active line of defense
- By William Jackson
- Feb 16, 2005
SAN FRANCISCO'Squeezed for time and manpower, IT administrators are moving beyond intrusion detection systems, implementing tools to automatically block intrusions.
"It is still a new market," said Andy Salo, director of product marketing for TippingPoint, which is unveiling the fastest model of its UnityOne Intrusion Prevention System at this week's RSA Security Conference.
Although it is not yet a mature technology, IPS is one of the fastest-growing segments of the IT security market. TippingPoint, which last month became a division of 3Com Corp. of Santa Clara, Calif., is forecasting revenues of $33 million this year, a sharp increase from $5 million in 2004.
Third Brigade Inc. of Ottawa recently unveiled its take on IPS, Deep HIP, a host-based system that works inside the perimeter to protect applications. The company's name refers to the product's role as the third line of defense, behind firewalls and antivirus systems, said CTO Brian O'Higgins.
"You need to shield your applications and servers until you have time to patch them," O'Higgins said.
IPS is an active defense that blocks malicious or anomalous traffic, while intrusion detection systems are passive, identifying and logging bad traffic. Each has its strengths and weaknesses.
IDS provides information and an auditable record, but administrators must respond to alerts to take action, which often means locking the barn door after the horse is gone (or blocking the port after the hacker is in). It also requires man-hours or more software to review and analyze the data generated. IPS can block intrusions, but administrators traditionally have been wary of turning over that responsibility to automated systems.
Although the IPS market is growing, the IDS market is far from dead. Application Security Inc. of New York is showcasing the newest version of its AppRadar IDS at the RSA conference. AppRadar moves intrusion detection to the application tier to protect databases.
Because it monitors only traffic to and from the database, AppRadar generates less data than a perimeter-based IDS, said Ted Julian, Application Security's vice president of marketing. Because it is looking at only databases, it can use context-based monitoring as well as signatures to evaluate traffic, reducing the volume of false alerts.
AppRadar does host-based monitoring on Structured Query Language databases, using an agent place on the server. The new version adds network-based monitoring of Oracle databases. The company will offer both host and network-based monitoring for both flavors of databases in the future.
A key driver for IDS products is regulatory compliance, Julian said. Laws such as the Sarbanes-Oxley Act in the private sector and the Federal Information Security Management Act in government require ways to monitor and audit security incidents. IDS can provide this data without an administrator sacrificing control over the system.
"The challenge with adding any kind of prevention is that we're talking about mission-critical systems," Julian said.
But he said he expects to see demand for intrusion prevention continue to grow as the technology matures. "There is no question that this is where we're heading," Julian said.
Altough the market only now is heating up, intrusion prevention is not brand new. TippingPoint, introduced an IPS with 2-Gbps throughput in 2002, and the new UnityOne-5000 can handle 5 Gbps.
Although most enterprises are "still very much using IDS," IPS is gaining ground in IT shops with limited budget and manpower, Salo said.
William Jackson is a Maryland-based freelance writer.