Ever since Gartner declared "IDS is Dead", you would have thought that the rush of vendors putting out IDP systems would have by now solved all problems and resulted in a dramatic reduction of viruses, worms and whatnot. But it just isnít so; corporations have balked about using IDP in-line.
Why is this? Simply put, IDP lacks the information to make accurate decisions, and as a consequence, tends to make the wrong decisions. And a wrong decision from an intrusion prevention perspective is to deny valid traffic at the first hint of an alert. Current IDP is like a police marksman when confronted with hostage and hostage taker Ė use the wrong weapon (such as a shotgun) and you take out the hostage as well as the criminal.
The problem is that current generation IDP lacks context about the network. It may positively identify an attack, but it knows nothing about the targetís likelihood of succumbing to the attack. An IDS can simply alert on anything that looks alarming, and generate many (false positive) events. An IPS does not have that luxury. So IPS vendors reduce the number of active rules to combat this, which simply defers the issue. Eventually, more rules must be made available to deal with the larger number of attacks.
But a larger problem lies at the heart of IPS. They can only detect the act of infection, whereas companies need also to detect the result of infection. Why? Because people take their laptops home, or take them to Starbucks. And once off the corporate LAN, they can roam wherever they like, pick up something nasty and bring it back to the office.
Gartner have hinted at the solution to this problem: Continuous scanning. Yet continuous scanning is not possible in the traditional sense, as scanning is by definition an iterative process. Also, scanning is an intrusive technology, which uses network bandwidth and can induce software instabilities in the scanned machines.
A better approach is to acquire information about network assets without resorting to intrusive means. This can be achieved by using a passive approach such as fingerprinting methods to profile the network. Such passive asset detection can determine OS vendor, OS version, services and service revision levels and hence likely vulnerabilitiesĖ all information vital in providing network context. This method has another advantage Ė it profiles machines much faster than active scanning as it is bounded by the line speed of the network, not on the response time of the queried machine.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.