Betting on Security

Networks have employed intrusion detection systems to spot and log malicious traffic for more than a decade. But over the past five years, there has been a growing interest in intrusion prevention systems that automatically block malicious traffic as well. With network exploits coming fast and furious, it's no longer enough just to know they're there and then take corrective action; the action has to come immediately.This subtle shift is due in part to regulations making private- and public-sector executives more accountable for IT security, said John Trollinger of the security technologies group of Cisco Systems Inc.'It stops being a security problem and becomes an organizational issue,' Trollinger said. 'That's when we see the big move from detection to prevention.'But the shift from IDS to IPS is not simple. An IDS sits out of the way of network traffic and typically employs a buffer, where it can take the time to monitor and analyze all packets. The packets themselves continue along the network and the IDS reports what it finds after the fact. Administrators must examine log data and respond to alerts to block unwanted traffic. False positives are a nuisance.An IPS sits in-line and passes judgment on traffic before it's allowed to pass, blocking unwanted packets automatically. Attacks are dealt with swiftly, but in this case, false positives are a major headache.'My number-one fear is that I'm going to drop legitimate traffic,' Trollinger said.Today, government agencies are at-tempting to mitigate that fear so they can enjoy the higher level of protection that an IDS might deliver.Despite their relative novelty, intrusion prevention systems abound. Companies such as 3Com Corp.'s TippingPoint Technologies, Cisco Systems Inc., Juniper Networks Inc. of Sunnyvale, Calif., McAfee Inc. of Santa Clara, Calif., Symantec Corp. of Cupertino, Calif., and V-Secure Technologies Inc. of Saddle Brook, N.J., sell IPSes. Michael Carpenter, vice president of federal operations at McAfee, says government agencies have been early adopters of IPS technology, in part because they understand IDS so well.'In order to do IPS well, you have to be good at IDS,' Carpenter said.Jason Huggett, an IT specialist with the Washington State Gambling Commission, found a convenient way to migrate from IDS to IPS with the Strata Guard IPS from StillSecure Inc. of Louisville, Colo. Strata Guard is built around Snort, an open-source IDS tool that Huggett had been using at WSGC for years.'I felt comfortable with it,' he said. 'It wasn't such a big step to go from IDS to IPS.'In addition to his familiarity with the underlying technology, Huggett also liked the fact that Strata Guard let him turn on blocking functions as he was ready, reducing the number of false positives.'By default, it works as an IDS,' he said. 'It's a perfect transition.'The fact is, security experts warn against putting all of your intrusion prevention and detection eggs in one basket.'Prevention is not a replacement for detection,' said Gregory Tepe, director of federal security solutions for Enterasys Networks Inc. of Rochester, N.H. 'It is an augmentation.'And just as IPS cannot do everything by itself, 'one single vendor is probably not going to be able to catch everything.' Tepe recommends running boxes from multiple vendors on a network.But WSGC has been able to make a single IDS/IPS solution work because it has a small network running behind a statewide network provided by Washington's Department of Information Services. 'Everything behind the state network, we run,' Huggett said. 'We only have about 200 users at any time.'The commission oversees all Washington gambling except the state lottery and horse racing.Those activities produced about $432 million in net receipts in 2004, with the lion's share of that, $268 million, coming from local card rooms running games such as blackjack and poker. Under contracts with tribes, the commission also oversees 24 Indian casinos operating in the state, which generated an estimated $888 million in revenues last year.The commission is funded entirely through license and regulatory fees. Open-source tools can offer a cost-effective way to help administrators and security officials manage networks on tight budgets.Open-source software is developed communally, without proprietary code, and products often are available free or for minimal fees. System administrators and security officials have adopted open source, although executives have traditionally been wary of tools not backed by a commercial vendor.Those concerns still exist in upper management, Huggett said, 'but I think opensource is getting more respect. Most security people are using some kind of open-source tools.'Snort has long been a popular IDS tool, performing real-time traffic analysis and packet logging. A second open-source tool, Analysis Console for Intrusion Databases (ACID), processes alert data for Snort, but it still lacks a graphical user interface and a way to centrally manage multiple sensors.Open source is cheap, but traditionally has been for experts.'The learning curve is really high,' Huggett said. 'You learn more about it and can become proficient, but the downside is that it takes you a lot of time.'Many IT security vendors, who have their own proprietary tools, are critical of open source.'The advantage of open source is that it is affordable,' said Tepe. 'But it is not well supported, because the people supporting it do not have a vested interest. You get what you pay for.'But a growing number of companies, such as StillSecure, have embraced open source by adding their own functionality and management capabilities to existing products.'Open source provides a core technology,' said StillSecure CTO Mitchell Ashley. 'What we add is the value of having a security company stand behind the product.''It's a more polished product all around,' Huggett said. And because he already had learned Snort, the learning curve for Strata Guard was not steep. 'The install was ridiculously easy,' he said.Strata Guard is available as a software product or a hardware appliance. It uses both signatures and behavior analysis to identify malicious or improper traffic and can be installed either in-line, to inspect and block traffic, or out-of-band, to act as an IDS only.Because it blocks no traffic by default, users must fine-tune Strata Guard to block only unwanted traffic and leave legitimate traffic alone. Some decisions, such as blocking known viruses, are no-brainers, Ashley said. For other types of traffic, 'there is a risk curve. Some systems will be protected more aggressively than others. It is an individual decision for each organization.'How long it takes to tune the tool depends on the user's familiarity with the product and the amount of time he can spend on it, Huggett said.'I am able to spend a lot of time with the system,' he said. 'Within a month or two, if you work with it quite a bit, you'll have a system that's doing a lot of the work for you.'Strata Guard has been in place at the gaming commission for about a year, and Huggett has found that tuning is a continuous process.'It is still evolving,' he said. With new exploit signature updates coming as frequently as every hour and new types of legitimate traffic being added to the network, 'you're going to start getting false positives again, so you have to continuously work with it.'