With its most advanced and effective approach, IPS solutions still today dominate significant portion of the security market. But with rapid evolution of hacking attacks, IPS solutions also must be advanced in design and nature. This article primarily discusses the designing challenges for next generation IPS solution and its future trend likely to be.

Hacking and more broadly cybercrime poses a major threat to everyone connected to the Internet today. An unauthorized access to your system and more precisely to your sensitive data will cause you loss of proprietary data, fraud, destruction and operational paralysis. The more careless the organization is about its information security, the greater its risk is of being hacked – and the bigger the challenge (and thus payoff) is for an illegal hacker.

As hackers today are very intelligent and attack less secured systems with their sophisticated and complicated tools, businesses must take every precaution to prevent successful attacks. Firewalls and Anti-virus programs are not enough today as they offer only reactive measures. Organizations must constantly map and monitor activities to prevent hackers from slipping anything past their networks’ defenses.

Intrusion prevention systems were invented to resolve ambiguities in passive network monitoring by placing detection systems in-line. Evolving hacking methods are increasing in complexity and becoming at once more dangerous and difficult to detect. To effectively protect their network and its users, intrusion prevention systems need to be one step ahead of any threat. As a solution the Intrusion Prevention System (IPS) inspects all inbound and outbound network activity. It identifies suspicious patterns that may indicate a network or system attack by someone attempting to break into or compromise a system. It does not only provides policies and rules for network traffic to alert network administrators of suspicious traffic, but also allows the administrator to take action upon being alerted. In the process it protects against nefarious network threats like buffer overflows, worms targeting vulnerabilities in network services, and rate-based denials-of-service.

But as methods of attacks are evolving very fast and growing complex in nature, IPS systems also need a faster response to address the challenges. So, designing the next generation IPS solutions have become an imperative for all vendors globally and hopefully their relentless effort has already made a paradigm shift in this space.

Designing Challenges and Efforts

As information explosion is happening at an unprecedented rate and moreover new devices are being connected to corporate information network everyday, the job for IT managers jobs have become real challenge and they have to think of an intelligent security approach to tackle the volatile environment. An effective IPS solution has to be competent and able to monitor network activities for malicious or unwanted behavior and can react to block those activities real-time.

The operating system providers, software application developers and solution providers are put to ever increasing pressure of continuous component roll out at reduced cost meeting higher performance objectives. Many a time’s vulnerabilities are left unaddressed. At the same time faster business cycles and go to market needs require the vendors release the changes on the fly with little of formal release control, testing and sight of big-picture including security needs. This creates immense opportunity for IPS solution. However such opportunities do not come without challenges. Even if the formal control is exercised by such vendors and vulnerabilities are communicated in advance to the IPS development communities the time to react to those vulnerabilities is typically getting smaller and smaller. “This is biggest challenge in the designing of the next generation prevention solution”, Tech Mahindra believes. The solution must be able to position itself faster than the pace with which system or application vulnerabilities can be hacked and thus “quickly react”. The IPS solution must fortify protection system by vaccination or continuous upgrades. While the vulnerabilities are increasingly introduced there is sophisticated supply chain of network abusers and malware developers at work globally. They are up in organized manner with ulterior motives and financial strength. In effect the “windows available” for developing such protection system for vulnerability has reduced significantly.

According to Subhomoy Biswas, Country Director, India & SAARC, SonicWALL, some factors must be considered when designing IPS systems, including where the IPS features will be built, the device’s location in the network, the expected throughout and required level of availability, the desired user experience, and other services to be supported by the device, such as virtual private networking (VPN).

Designers must also consider price vs. performance, time-to market and target market. IPS performance is less demanding in a small business environment than in a large enterprise environment and the expected throughput—which is directly proportional to the available bandwidth—will be very different in these two situations. The IPS can be designed to handle all of the network’s traffic (i.e. throughput) or just a portion of it. For example, instead of routing all network traffic through the IPS device, a port can be chosen on the switch. Intelligent switches can redirect the traffic from a particular port to the IPSes based on observation of some anomalous network behaviour. Firewalls can selectively apply intrusion prevention for specific protocols or just to the traffic addressed for specific IP addresses. Other factors impacting the design include the use of acceleration and the processor type. The choice of processor and its performance has a direct impact on latency and throughput.

Experts believe that enterprises take longer cycles of patch upgrade for the vulnerabilities. Moreover not all the vulnerable systems are patched and actually new set of vulnerable systems join the networks without the appropriate patches. This makes hacker’s effort to launch attack against vulnerabilities rewarding even when patches are available for long. As an effect individual IPS signatures to detect the attacks linger for longer in the signature database. Arranging such large base of signature list is quite challenging especially when the IPS throughput cannot be allowed to deplete.

Another approach to these signature based IPS system is to design system working on the principle of proactive measure. With ability to “proactively manage the threat environment” the system must be able to defend zero-day or zero-hour attacks resulting in least or no impact of vulnerability. The challenge here is to define the normal situation. The normal situation differs across the different networks, protocols and type of data exchanged. The typical traffic to mail server has different behavior than a chat server or real-time streaming system. The underlying protocols are different and so are the payloads. To cater such “wide operational scope” the required variety of fortification increases exponentially. The design must not limit the “functionality and variety of network”.

Above all design requirements will further impose thrust on “deep inspection” and “context sensitive evaluation”. This means that the security event co-relations across multiple sources of alarms, alerts and consultation of expert system or decision support system will be mandated. Again to proactively manage the threats, the system must learn the description of normal situation by complex heuristic implementation and processing huge chunk of data at real time. This imposes “large processing requirement on the network interfaces” and makes the solution expensive or extremely non-functional.

Fortinet strongly believes that the ideal next generation Intrusion Prevention solutions should have a customizable database of thousands of known threats to stop attacks that evade conventional firewall defenses, plus anomaly-based detection that enables the system to recognize threats for which no signature has yet been developed. It also has to stop the most damaging attacks at security check points regardless of whether the network is a wired, wireless, partner extranet, or branch office network connection. Thus, a highly competent real-time update centre is required as services.

Can Next Generation Processors Help IPS Solutions?

IPS uses highly specialized algorithms to inspect and analyze packets associated with a specific session or flow. Such systems must scale from a few Mbps to 1 or 10’s of Gbps to even 100’s of Gbps (viz., Carrier Ethernet) depending on their location in the network. It is beyond the capacity of single processor or stand-alone appliances to attain such throughputs. There is extreme pressure of squeezing more of processing power in the appliances. Thus IPS vendors are already using processors beyond Dual Cores. Quad Core Intel Xeon 5300 and there likes from Octeon from Cavium and Opteron from AMDs power the high-end IPS devices. However next generation processors with better speed, throughput and memory is now a standing need for the community. Concurrent processing beyond cross binding systems, multi-threaded, multi-core systems are almost reaching their edges for high-end and next generation IPS solution.

Therefore at one end providers are moving to bladed architectures such as Advanced Telecom Computing Architecture (AdvancedTCA). ATCA can provide the scalability and performance required. It is quite suited to the deployment in carrier-grade networks due to its ease of designing distributed, multiprocessing and high availability system with great real-estate advantages like cooling and mechanical specifications. In addition, the wide range of interfaces encountered in carrier networks – including Ethernet and Optical links (OC-12/OC-48/OC-192) make ATCA an ideal platform choice for IPS solution.

At the other end, experts from iPolicy Networks believes that the future systems will see more of customized service processing modules (each with faster CPUs and specialized memory optimized for payload inspection and database access) working in parallel systems with specialized network processors. Network processors are programmable chips like general purpose microprocessors, but are optimized for the packet processing required in network devices to perform the task of encryption and decryption; accelerated pattern match and application specific packet filters.

Acknowledging the need of next generation processors for future IPS solutions, Vishak Raman of Fortinet India & SAARC said says that next-generation processors accelerate intrusion prevention performance, enabling it to scale from SOHO appliances to multi-gigabit core network or data center platforms. This provides scalability for the end user as their network expands in the face of increased communication requirements, which translates into more threats entering the network.

Where is IT Heading?

IPS solutions are set to play a larger role in forensics data preservation by providing data to a forensics server while preserving the integrity of the data. More advanced response capabilities will allow users and organizations to choose from a wide range of response mechanisms as well as fine tune them to more closely meet their business and operational needs.

Intrusion prevention has gained in popularity to the point where it is now widely considered a mainstream security technology. Intrusion prevention is similar to intrusion detection in that it is designed to identify potential and actual security breaches in near-real time, but intrusion prevention goes farther than intrusion detection in that it provides the ability to respond defensively to attacks, thereby preventing them from succeeding – at least in the ideal case. Because so many attacks occur so swiftly, automated mechanisms designed to thwart them may not be able to stop them from initially succeeding, however. In such cases, intrusion prevention mechanisms often attempt to prevent the attack from spreading any farther.

iPolicy feels that some of the emerging trends will shape up future of all the networked devices. They will in particular change the dynamics of supply and demand for IPS devices and their architecture. Some which immediately comes to our mind are as follows:

Broader range of perpetrators who will keep the enterprises, government agencies and organization on toes to fortify their infrastructure with state-of-art IPS solution
And finally the convergence in the space of communication including broadband and fixed mobile convergence will further put upward pressure on the demand growth and need for holistic or integrated solution.
As a result the IPS demand will head north with a shift towards integrated solution. Let us consider the above points in details:

Broader range of perpetrators leading to enhanced demand for sophisticated IPS solution: The range of potential perpetrators and motivations to launch attack is going to be increasingly broad. Sometime even extending beyond economic and social fabric to national security – meaning nations involved on the sides of offense and defense. Incidentally now, Internet or new found term “Cyber” is a part of military conflict. Therefore techniques or attack tools will be significantly evolved over time. The prevention measures will hybrid threats beyond hacking, virus worm or malware attack, spam or DDoS. Botnets are being increasingly used for other severe malicious activities which can upset businesses and even national ecosystem. Some notable examples are Click Fraud, Spyware features like Key logging, Screen Capturing, Network Sniffing or even Browser tracking, Spam and Phishing. Already exploit scanning is reaching the interfaces to the critical infrastructure of national significance. Such broad canvas of perpetrators will ensure the demand for sophisticated IPS. Supply of IPS will be lead by the provider’s ability to organize the defense line by ensuring early detection and wholesome method to defend the trickiest of evasions.

Convergence and Web2.0 will compel the IPS go UTM way: Web2.0 has fueled the online era and generating lot of interest in enterprises to realign or restructure their IT infrastructure. Some argue that this will further propel the convergence of IT, mobility and telecom networks. Thus an emergence of multi protocol and multi-utility application is “growth insurance” in demand for large and powerful IPS devices. Moreover such use cases will induce further mutation of network traffic behavior. For example online gaming on 3G handheld is one such epitome of use cases that is increasingly gaining traffic share. It incorporates real-time multimedia and interactivity traveling diversified and multiple networks. The access control mechanism, metering and charging systems differ across networks. Further interaction with peep-to-peer or multicast application will complicate the analysis by any single standby solution. Like in this case the threats like Denial of Service, Virus, Malware or Adware cannot be dealt in isolation. A typical enterprise will not only face a threat of specific kind but all of mixed-bag. This will push the need for UTM devices over the standalone devices. Moreover maintaining devices of several kinds, each catering to one specific need will result into clutter of solution which will be expensive to manage. Over period security threats are going to evolve and therefore the techniques will strengthen by correlation of threat events and consolidated intelligence. Again it is quite a challenge to provide training to administrative personnel or undertake integration and portability of data or rules across the solutions. Even the effort to manage the vendors for example signing multiple annual maintenance contract will easily exceed the benefit of best of breed fit for each kind of threat.

Fortinet believes that IPS demand will most probably increase in the near future due to the blended threatscape proliferation. Fortinet views the shift towards integrated solution, as enterprise technical managers look to a manageable, scalable and cost-performance effective solution to address the security landscape. According to Cyberoam, IPS continues to thrive in the market because enterprises put their faith on Firewall / IPS solutions for high levels of security given the evolving threat landscape. As a result, enterprises are shifting their attention to IPS technology instead of merely upgrading their existing firewalls, in their quest to enhance the security of their corporate networks.

Regarding the question of whether it will remain as stand-alone or as integrated solution, it is evident that the market for IPS is strong and is still holding on in the market as due to demand for Firewall / IPS solutions in certain enterprise verticals. The trend in the coming times will be towards integration with UTM platform.

Conclusion

Though experts indicate a direction towards integration with one box solution, still IPS solutions hold a major attention of the market due to its effective security approach. Advanced actions such as bandwidth control or connection control are required in case of denial of service or flood attacks for an effective action, which effectively taken care by IPS solutions. Also ability to take different actions based on criticality of assets under attack helps is still making IPS solution effective today.

—By: 'InfoSecurity' Bureau.