Converging IDS, IPS and the Rest of Security - Systems Management News On The Web

Sort By :DateRelevance

DEPARTMENTS

HOME

TOP STORIES

ON THE WEB

BZ MEDIA

Printable version

Converging IDS, IPS and the Rest of Security
By Alex Handy

June 6, 2008 — Would you ever run a network without a firewall? In this dangerous world of constant online threats, the mere idea of ditching a firewall is sheer madness.

There’s another item that’s become indispensable for network security: intrusion prevention and detection systems. Unlike firewalls, which can be tweaked by anyone on the IT team in a pinch, these essential defense mechanisms require a dedicated employee to keep up and running. Intrusion systems are a more complicated beast and require constant monitoring and adjusting. Will these crucial security systems ever be easier to maintain and administrate in large-scale environments?

Chris McGettigan is a security analyst with Alert Logic, a Houston firm that offers a new SaaS compliance and security platform. In a previous job, however, McGettigan worked as the primary IDS monitor at a bank. In that capacity, he spent almost all of his working time pouring over logs, updating signatures and tweaking filters. He said that the financial institution for which he worked needed him to stay on top of the intrusion systems simply because they were constantly requiring adjustment and examination to remain effective.

While he’s no longer tending and caring for those systems, he said that convergence in security appliances could lead the way to simpler IDS and IPS management. “Over time reactive IPS functionality will become more integrated into the functionality of other devices, like firewalls, proxy servers and even the operating system,” McGettigan said, adding that, to a large degree, this is happening already with Cisco’s ASA appliance and some of Websense’s products.

Merging the Boxes
John Yun, product marketing manager at the high-end business unit at Juniper, said that IPS systems tend to be viewed by IT shops as advanced firewalls. As such, some of his company’s IPS/IDS systems are available as bolt-on modules for its NetScreen firewalls. The advantage of this approach, said Yun, is that the individual modules and devices available from Juniper can be administered in bulk through unified management consoles. That allows more integration of devices.

Yun did say, however, that the merging of capabilities is still underway at Juniper. “From a market perspective, the routing and security infrastructure is blurring. From an organizational perspective, that’s mixing as well. They say, ‘I want the fastest router, but I need some other capabilities too.’ Let’s take the best parts of Screen OS and then let’s take the routing and robust features out of JUNOS and merge them,” said Yun, describing Juniper’s plans for the future.

That’s a future with fewer operating systems running on their hardware. Juniper will be bringing together the Screen OS that runs its firewalls and the JUNOS that runs its routers, focusing on a singular view of the entire network, said Yun.

Yun also predicted that such merged devices are more likely to be deployed in the smaller branch offices of enterprises, meaning that convergence will likely begin at the edges of the network.

“We do see that there’s an area where there’s a need for a converged OS and converged products. We’re going in that direction with the J series. That’s a services router and a secure router. It’s always been based on JUNOS. Someone configuring a router is very different from someone who’s writing a security policy. The branch is really the first place people want to do this,” said Yun, insinuating that these devices need to be easy to administrate.

Elsewhere, companies like Network Box have already released converged security hardware that includes IDS, IPS, firewall, VPN and spam filtering in one machine. But the question of these types of systems then becomes what should be merged?

Raffael Marty, senior product manager and chief security strategist at Splunk, thinks that merging IDS/IPS capabilities into firewalls makes the most sense. In fact, he said, this is already happening.

“I think we see that already, like with application layer firewalls and content filtering systems. They’re nothing more than an IDS and firewall combined operating on layer 6 or 7,” said Marty. “It makes a lot of sense.”

It makes sense to merge these two, said Marty, because criminals have changed their tactics over the past few years. “The crime landscape has really shifted. We used to be worried about network layer attacks, TCP/IP attacks where funky flags were crashing your systems. This is gone. We really don’t worry about them anymore. We have systems to stop these attacks. The crime has shifted up to the application layer. There are attacks over instant messaging, there are SQL injections, there are application layer attacks. You have to start blocking the traffic based on the application layer data, and that’s where the IDS firewall combo makes sense.”

You’ve Come a Long Way, Baby
Marty said that IDS and IPS have come a long way since the products were first offered after the turn of the century. He attributes this to manufacturers attempting to solve the persistent problem of intrusion detection and prevention systems. The reason they require a dedicated employee to manage? Too many alerts.

“It’s much easier nowadays to look at the alerts coming from an IDS than it was five years ago. There’s more context to alerts. It’s much easier to understand than looking at the textual information,” said Marty. He added that IDS and IPS makers are “being very conscious of not having these machines throw so many alerts. I think even if you get really sophisticated, you have an info management problem, you have this one silo that’s the IDS, then you have a firewall, applications, and you monitor your routers and OSes and that’s all kind of in silos right now. If you start modeling the network in your IDS and your IPS, you don’t have that info in all the other devices.

“You go into the firewall, and you’re modeling the network again in that system. Then you go to the next silo and you have to configure that again. What a lot of people are doing is using overarching technology, like security event management. You teach about the environment, then you consume all the events from the other silos,” said Marty.

But Marty is skeptical of the idea that intrusion prevention and detection systems can ever truly be hands-off. “In the end, I don’t think we will ever get to the point where you can completely forget about these systems, because they need care. They are fairly demanding with the signature updates. It’s the same old rat race between hackers and security people, where a new exploit comes out [and] you need to update your IDS to recognize it. Companies are building automated ways to do this, but in the end you may get a false positive and you have to tweak the signature yourself.”

Related Search Term(s): Security, Cisco, Juniper, Splunk

Share this link: http://www.sysmannews.com/link/32320

EMAIL THIS ARTICLE

SEND FEEDBACK