IT security managers say the dangers posed by computer worms and hacker attacks have compelled them to shift defenses from passively monitoring their networks to actively blocking attacks, even though legitimate traffic sometimes gets blocked.
With the growth of intrusion-prevention systems, established IPS vendors and start-ups are introducing an ever-widening array of products.
However, while IPSs appears to be usurping intrusion-detection systems (IDS) in more organizations, they come with the risk of blocking good traffic and bad.
"It's a calculated risk," says Chris Hoff, information security officer at Western Corporate Federal Credit Union (WesCorp) in San Dimas, Calif., about his company's decision to shift from IDS to IPS over the last six months.
WesCorp, which has $25 billion in assets and provides back-office management services to about 1,000 credit unions, deployed the Internet Security Systems (ISS) Proventia G-100 IPS appliance to start automatically blocking attack traffic. The main reason is that even one hit from the growing number of worms and hacker attempts would be too high a price to pay, Hoff says. However, the downside is that legitimate traffic occasionally is blocked along with attack traffic, he adds.
"Legitimate traffic can be blocked, and we spend an enormous amount of time tracking down false positives and false negatives," Hoff says. He adds that there needs to be improvement in IPS blocking to filter out the "harmful stuff" while allowing good traffic through.
In spite of the problems false positives cause - the same kind that plagued passive IDS sensors over the years - Hoff says he has no intention of giving up intrusion prevention. He adds that WesCorp isn't buying network-based IDS any more. Instead, the company is using vulnerability-assessment much more than it did in the past, and deploying products from Skybox Technologies and Qualys to determine which server and desktops require patching and updates.
Hoff says he's interested in host-based IPS, too, but is waiting for prices to drop. Costs typically run into the hundreds of dollars for the software for each server that needs protection.
According to IDC, the market for IDS and IPS together - collectively known as intrusion detection and prevention (IDP) - is about $730 million, with host-based software half of network-based software and hardware last year.
Several analyst firms, including Infonetics Research and IDC, say it's admittedly hard to figure out the exact number of blocking-capable IPS products that were sold in any year vs. IDS. This is because some of the larger IDP vendors, including ISS and Symantec, are reluctant to break this out. The reason often given is that IPS typically includes passive IDS functionality, and sometimes customers use IPS for passive monitoring or in a "mixed mode" where they block some traffic but monitor other portions.
Nevertheless, there's strong reason to believe IPS is gaining ground among enterprise customers, says Charles Kolodgy, research director for security products at IDC. He predicts that within a matter of a few years "IPS will eventually be the predominant technology."
IPS is selling better than IDS, confirms Clarence Morey, senior manager for product strategy at ISS, adding IPS is often preferred for the most mission-critical networks. ISS, which focused on software-based intrusion detection until the launch of its Proventia appliance line in mid-2003, declines to offer more detail on numbers. But in its latest quarterly legal filing at the Securities and Exchange Commission, ISS indicated that the Proventia line of IPS appliances accounted for 61% of product and license sales in the third quarter of this year, and 53% of sales revenue for the nine months of the year. ISS stated its nine-month revenue as $88.9 million, as opposed to $76.1 million for the same period a year ago. According to this statement, IPS has overtaken sales of traditional IDS.
IDC also points out that several of the top vendors in the IDP market - McAfee, NetScreen Technologies (which Juniper bought last year) and Top Layer Networks - generate their revenue through IPS products alone. IDC also cites the explosion of new market entries in the last six months as an indicator of growing demand for IPS.
On the host-based IPS side, eEye Digital Security's Blink software and products from start-ups such as Bodacion and Determina were introduced this year.
On the network-based IPS side, the new-product barrage came from start-ups such as Barrier Group, Beadwindow and Captus Networks. A few, such as Sentryware, offer network- and host-based IPS.
McAfee recently unveiled two new versions of its IntruShield IPS, the multi-gigabit models 4010 and 3000 with expanded ports for large corporations and ISPs.
Amid this cornucopia of IPS offerings, there's no shortage of early adopters willing to try network-based IPS to protect their networks through blocking.
"I look at it as a disaster-prevention element," says Eben Berry, manager of IS at managed healthcare provider Network Health in Cambridge, Mass., which serves 60,000 Medicaid recipients. The healthcare organization uses V-Secure's 100M bit/sec V-100 appliance at the perimeter to block attacks on its Web site.
Berry says the V-100 appliance doesn't rely on signatures to pinpoint attacks but instead monitors patterns of activity. On its internal LAN, Network Health deployed a different IPS: Juniper's NetScreen IDP-100, because it can filter on a bidirectional basis, something V-Secure's appliance only recently added.
Todd Woyke, engineer at Diversico Industries, a tool manufacturer in Minneapolis, decided to use Barrier Group's IPS after being blitzed repeatedly by dozens of computer worms and hackers that broke into servers. "So far, all I can say is we aren't seeing any intrusions," Woyke says, and adds he's sold on intrusion prevention.
