One of the truly overused clichés of our industry is the line, "there is no such thing as a silver bullet." Possibly the reason that expression will not go away is that we really do need to keep reminding ourselves of that fact. Everyone who has deployed or managed a firewall has heard someone ask, "Why do we have to patch? We are behind a firewall." In this section of the chapter, we take some time to consider the things that an IPS cannot possibly do for you. As an informed technical professional, when you hear that an IPS must be a fast, keep state, know the application protocol or behavior, be accurate and up to date, and be able to nullify an attack, you understand there are discrete technical limits to the implementation. A NIPS might be able to defend against 800 different attacks well, but there could be thousands more it doesn't have a signature for. An IPS is a useful tool, but it is only one part of our overall defensive capability.
An Excuse to Ignore Sound Practice
A major focus of this book is sound practice. IPS technology is a step forward, which is good, but we are in a game of measures and countermeasures. You cannot employ IPS technology and fail to implement the guidance contained in the other chapters of this book. The attackers will likely find ways to circumvent the protections an IPS provides. The 1998 paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection," by Thomas Ptacek and Timothy Newsham, is still valuable as a reminder of the potential weaknesses NIPS may have. The paper is available at http://www.insecure.org/stf/secnet_ids/secnet_ids.html. In addition, worms such as Goner and Gokar directly targeted host security tools such as antivirus. It is clear attackers will attempt to circumvent or even directly attack our IPS tools, so we need to create an architecture that can survive even if the IPS fails.
An IPS Simply Buys You Time
Deploying an intrusion prevention system is not a replacement for patch management and system hardening. Instead, you are hoping it buys you a valuable asset: time in the race before the next worm is released. Organizations using IPSs are often able to extend the amount of time they have to deploy patches to resolve operating system and application flaws, potentially delaying the deployment of fixes until several patches have accumulated and a window for scheduled maintenance of equipment is available. And we need all the time we can get. What's more, sometimes patching is not possible.
Like IDS, IPS is not a fire-and-forget technology. It requires significant maintenance and monitoring to be an effective defense tool. IPS is also not an inexpensive tool for enterprisewide deployment.
Next, we will consider the best known form of IPS, network-based IPS devices, or NIPS.