Testers praise Intrusion Prevention Systems

The controversy surrounding the use of network intrusion tools shows no signs of slowing, with a group of independent testers coming out strongly in favour of so-called Intrusion Prevention Systems (IPS). The NSS Group - noted experts in this field - has nailed its colours to the mast and come out in favour of IPS following extensive tests of the main products of the market. Author of a freely available report of the tests, Bob Walder, explained: “Each of the IPS products in our labs acquitted themselves well during the tests, and some were outstanding, confirming that IPS devices are ready for prime-time deployments in any size of organisation.” This claim flies in the face of a much-publicised report by Gartner in June 2003, where VP Richard Stiennon wrote off such systems. Also referring to Intrusion Detection Systems (IDS), Stiennon made a bold claim when he stated: “Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled.” That, and other rash statements made in the report - itself provocatively titled "Intrusion Detection Is Dead - Long Live Intrusion Prevention" - caused much anger among vendors and system administrators, who were put on the back foot and forced to defend their investments. However, with the attention-grabbing remarks removed, Gartner’s report made some valid observations. It warned that the future was likely to be in “deep-packet inspection” firewalls, and that currently both IDS and IPS suffer from “false positives” - namely that they report something normal as suspicious too frequently. No one has questioned the issue of false positives but several valid arguments have been made for their acceptance. False positives are, after all, inevitable in a system that is actively seeking to find things that other security measures have not found. It would be more worrying if there weren’t any as that would imply not one is trying to gain access to a network or that the system is 100 per cent effective - neither of which will ever be true. Some have argued that false positives may even be flagging as-yet-unfound flaws in a network; that IDS/IPS may be the ultimate diagnostic tool. However, reducing the number of false positives has been foremost in vendors’ minds, and according to NSS, they have largely managed it. "Nothing is perfect,” Bob Walder told us, “false positives will always be the bane of the security administrator's life, and despite the vendor's best efforts, the initial configuration and policy tuning exercise required when deploying IPS products is likely to be quite painful for some time to come. But these products are improving all the time. The key point to bear in mind is - they are the best tool we have available at the moment." Walder also points out that Stiennon’s original claims that the systems could not work at an appropriate speed are not true - something that Stiennon was forced to acknowledge soon after his report was released. However, NSS and many security experts do still see more advanced firewalls as a likely contender to the network security crown, as Gartner predicted. The difference is that such firewalls are still some way off (Gartner says 2005; others say later) and in the meantime companies and governments across the world want to protect their networks from attack. The good news, according to NSS, is that the scaremongering was unjustified and IDS/IPS products are up to the job right now. That fact won’t grab as many headlines as Gartner’s summer report but it will certainly prove more useful. You can read Bob Walder’s perspective on the network protection here