One of the truly
clichs of our industry is the line, "there is no such thing as a silver bullet." Possibly the reason that expression will not go away is that we really do need to keep reminding
of that fact. Everyone who has deployed or managed a firewall has
someone ask, "Why do we have to patch? We are behind a firewall." In this section of the chapter, we take some time to consider the things that an IPS cannot possibly do for you. As an informed technical professional, when you hear that an IPS must be a fast, keep state, know the application protocol or behavior, be accurate and up to date, and be able to nullify an attack, you understand there are discrete technical limits to the implementation. A NIPS might be able to defend against 800 different attacks well, but there could be thousands more it doesn't have a signature for. An IPS is a useful tool, but it is only one part of our overall defensive capability.
An Excuse to Ignore Sound Practice
A major focus of this book is sound practice. IPS technology is a step forward, which is good, but we are in a game of measures and countermeasures. You cannot
IPS technology and fail to implement the guidance contained in the other chapters of this book. The attackers will likely find ways to circumvent the
an IPS provides. The 1998 paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection," by Thomas Ptacek and Timothy Newsham, is still
as a reminder of the potential weaknesses NIPS may have. The paper is available at http://www.
.org/stf/secnet_ids/secnet_ids.html. In addition, worms such as Goner and Gokar directly
host security tools such as antivirus. It is clear
will attempt to circumvent or even directly attack our IPS tools, so we need to create an architecture that can survive even if the IPS fails.
An IPS Simply Buys You Time
Deploying an intrusion prevention system is not a replacement for patch management and system hardening. Instead, you are hoping it buys you a valuable asset: time in the race before the
worm is released. Organizations using IPSs are often able to extend the amount of time they have to deploy patches to resolve operating system and application flaws,
delaying the deployment of fixes until several patches have
and a window for scheduled maintenance of equipment is available. And we need all the time we can get. What's more, sometimes patching is not possible.
Although patching is necessary, as we show in Chapter 19, "Maintaining a Security Perimeter," there are serious constraints to patching, and sometimes it can be a difficult problem. Dr. Marc Willebeek-LeMair, CTO of TippingPoint Technologies, points out, "It is important to understand what it takes to patch a vulnerable system." Here are some points to consider:
Is a patch available? Vulnerabilities are often disclosed in advance of a vendor patch being available. Sometimes
don't bother creating patches for older versions of software.
Are you aware of all systems to which the patch applies? Mobile systems, embedded software within bundled applications, and the sheer
of some organizations make it very difficult to identify all vulnerable systems. Telecommuters and trusted partner connections further complicates matters.
Do you have access to all affected systems? Owners must often be contacted to apply a patch and some may not be available during the patching interval or their systems may be temporarily inaccessible.
Is there an opportunity to bring down critical systems to apply the patch? Fully redundant systems are costly and not always possible. There is never a good time to bring down critical systems.
After testing in the lab and on development systems, can you afford the risk to then test the patch on critical systems to verify that it works and does not adversely affect business-critical applications? Thorough testing can be very time consuming. Besides the fact that the patch may be faulty, custom applications may interact unfavorably with the new software patch.
Should you wait until next week and apply multiple patches at the same time? The frequency of new vulnerabilities being
and patches being made available is so high that IT managers are challenged to keep up. They would rather batch fixes to minimize IT overhead and system downtime.
Finally, do you have the resources to apply a patch? The number of patches multiplied by the number of machines multiplied by the time to patch each machine ("patch-hours" of work) may exceed IT capacity.
Like IDS, IPS is not a
technology. It requires significant maintenance and monitoring to be an effective defense tool. IPS is also not an inexpensive tool for enterprisewide deployment.
Next, we will consider the best known form of IPS, network-based IPS devices, or NIPS.