IPS Destined to Replace Legacy Routers
First Published: 2003

Whether the term is evolution or revolution, corporate network managers must have noticed that change is in the air. Just as network design changed with the cost effective implementation of routers replacing legacy network bridging devices, the design rulebook is once again under revision.

Formerly the domain of large financial or technically elite organisations, network intrusion detection systems (NIDS) now provide mainstream corporate security. However, until recently, they were often additional devices that sat upon the network, typically “out-of-band”, and the responsibility of the nominated corporate security expert.

The latest devices now form an integrated element of the network topology. Just as network bridges were superseded with devices that could logically route network traffic based upon the data packets themselves and even implement an access control list (ACL), the new generation of device goes further towards making the network more robust and manageable. These devices, referred to as intrusion prevention systems (IPS), incorporate NIDS technology into a single in-line device.

While many organisations initially think of IPS as only a security device, and thus the remit of the security department, this is not necessarily the case. The combination of technologies result in what many are calling the revolutionary aspect of IPS – the fact that the resultant mainstream device will be managed by an organisations network infrastructure department.

Looking similar, and typically positioned within the network topology just like a router, they provide the extended range of protection technologies now mandatory to thwart current and future projected network threats.

In many ways IPS is the evolution of two complementary technologies.

Routers are commonly used to connect multiple network segments together and provide a robust, and often dynamic, path for traffic to navigate a distributed corporate infrastructure. They are also frequently configured to provide traffic control through ACL’s, thereby regulating network throughput and providing some basic level of security utilising port filtering techniques.

On the other hand, we have NIDS. Historically, the technology was primarily an analysis and alerting tool – designed to identify probable network based attacks and respond in a predetermined manner (such as alerting the security administrator or blocking some types of attack). NIDS major strength is deep packet inspection, and the ability to analyse network traffic for threats right up to the application layer.

Thus the combination of the two technologies allows for a device that regulates network traffic at a level beyond routers and their firewall cousins, will provide detailed traffic analysis and management options, and can automatically respond to threats at the network layer right through to the application layer.

An IPS is more that the sum of its parts, and should be viewed as a critical network infrastructure component – installed and managed by an organisations network infrastructure department. The simplification of device management and configuration, combined with a mature automated response system – all built into a single appliance – means that security departments can focus upon developing higher-level implementation security plans, and network departments can focus upon managing a hardware device in a similar capacity to other existing infrastructure components.

For many organisations, an understanding of the types of threats an IPS system can prevent from affecting the network is often required before the importance of the new technology can be fully appreciated.

Consider classic port filtering through ACL’s as an example. ACL’s are ideal for preventing unwanted traffic passing between network segments. However, they are not capable of identifying unwanted network protocols communicating in unexpected ways – such as running SSH services over HTTPS (doubly complex as both services are encrypted). Such problems regularly arise, and many current security threats such as popular chat and file-sharing applications, purposefully exploit the inadequacies of simple port filtering techniques to bypass typical corporate firewall installations. The ability to inspect the content of each network packet, and check for protocol conformity, is a basic requirement in preventing such bypass techniques.

The facility to provide a level of deep packet inspection also means that an IPS device is potentially able to provide higher level logic functions based upon the content of an individual data packet, or a stream of fragmented data. These higher level functions would include the ability correlate the data content against a series of rules or other logic processes. In one sense, it is a simple process to identify content that may be associated directly with threats such as viruses, worms, exploitation code or other hybrid-threats and respond in a pre-determined way.

This response may include passive actions such as logging and alerting, or make be more active such as “cleansing” the data payload (such as existing anti-virus solutions), directing it somewhere else (such as the functions performed by network proxy servers), or resetting and preventing network connection (commonly carried out by active IDS installations).

The “cleansing” of data on-the-fly is probably the easiest to understand, but the most complex to implement from a technology point of view. However, dedicated anti-virus products have been doing this for many years now and the robustness of the technology is widely accepted.

A large number of organisations utilise proxy servers to control and regulate outbound access from their internal networks. Typically, these proxies require each client connection (such as web browsers and FTP clients) to be configured with the device address and directed to it. Once again, technology has moved on. With the use of in-line devices providing transparent proxy functions, no client-level configuration is required and (unlike static host proxies) almost impossible to circumvent. From a management perspective, transparent proxy functionality provides greater flexibility in medium to large enterprises when adding, removing, or otherwise changing the allowable suite of outbound connectivity at an application level (rather than at the less satisfactory protocol level as achieved with firewalls) – while still protecting the internal network.

The in-line position of the IPS also greatly increases the success of the NDIS functionality to thwart attacks. A limitation of NIDS has always been the “spectator view” on the network and the inability to respond to attacks within single network packets or connectionless protocols such as UDP. By going in-line, the IPS can analyse traffic before passing it on to the next network segment and decide whether to allow or disallow individual packets. This is particularly appropriate when responding to threats such as the last Slammer Worm whereby networks were inundated with Microsoft SQL Server probes and consequently great volumes of SQL Server specific traffic. Without an IPS, there were only two response options – either turn off the SQL Server host or filter and block all ports associated with the SQL Server (thereby shutting off the SQL Server). With an IPS device, any SQL traffic associated with the attack could be blocked, while other acceptable traffic would be allowed to traverse the network – thereby providing the flexibility an organisation requires to continue to operate while infected hosts were dealt with.

For most environments, an IPS device will cover the majority of requirements within an organisation or for use between sites with direct (non-shared) network connections. However, broadening the IPS technology further – primarily towards usage as a gateway or perimeter network segregator – already the first generation of “IPS+” devices have extended the basic suite of security functions to include VPN tunnelling, anti-virus, anti-spam, content-filtering, caching and proxying. Advanced features such as these enable the device to provide front-line defences for the organisation against threat from a shared or non-trusted network such as the Internet – while also simplifying the network topology.

Although multiple vendors have chosen to supply network appliances providing this enhanced IPS functionality, there is no common nomenclature – instead terms such as “Gateway Appliance”, “Perimeter Defence System”, “Border Defence Appliance”, etc. have been used. Until such an agreed name is developed, “IPS+” will be satisfactory for now.

Just as IPS technology represents an evolution of routers and NIDS, IPS+ represents a technological leap over Firewalls and other DMZ-based security tools. An IPS+ appliance is capable of replacing border firewalls, along with related border defences such as STMP anti-virus, VPN’s, content filtering and proxying – thereby greatly simplifying the normally complex and often distributed DMZ environment, and bringing together similar security defences into a single manageable device.

These IPS+ devices are therefore capable of one-for-one firewall replacement – being located at the same infrastructure location. The ability to replace a firewall with an IPS+ device, and consequently remove other “Internet visible” hosts at the same time, will appeal to almost all organisations. At this early stage of first generation IPS+ appliances, it is likely that they would be best suited for small to medium sized enterprises, as well as the satellite offices or branches of larger global enterprises.

Indeed, the case for upgrading to the new generation of IPS or IPS+ appliances is so compelling that many organisations will probably find themselves carrying out one-for-one replacements of their now legacy routers and firewalls in the next financial year.
    Copyright 2001-2007 © Gunter Ollmann