The Watch

Anyone keeping track of the security vendor/technology hype knows that IPS
has quickly replaced IDS as the “next big thing”. Depending on who you are,
you may chalk this up to yet another infosec fad, or you could be of the
opinion that IPS is actually making good on the promises that IDS never
lived up to. I think it can be both – depending on your situation.

What NIPS Isn’t

First and foremost, NIPS is not a tool for stopping elite crackers. That may
be how it’s being marketed, but it’s crap. If you’re the type to fall for
that sort of hype then you’re probably in a lot more danger than any given
technology can help you with.

A Simple Question

Whether or not IPS is worthless or a godsend to your organization hinges on
a single question – “How good is your organization at staying patched?” This
is the single question that organizations need to be asking themselves when
considering network intrusion prevention technology.

The reason this question matters is because of the fact that NIPS only
protects you against vulnerabilities that you can mitigate by applying
patches and/or implementing other controls. If you are a relatively small
organization with a highly technical administrative/security staff that
keeps your systems constantly patched and locked down, a network IPS can’t
offer you much of anything. Despite claims to the contrary, a network IPS
system is about as good at stopping zero-day attacks as wordpad.exe.

Remember, stout security teams knows their systems. They read advisories
daily and know what’s in the wild and what’s likely to be there soon. A team
like this can more than likely patch their systems and/or mitigate the risk
to their organization in other ways before a NIPS vendor can release a
signature for their product. The benefit gained from someone blocking
exploits at the perimeter at that point is virtually null. In short,
anything that’s going to compromise a fully patched and locked down system
is going to walk right through a NIPS as well.

Help, I Can’t Keep Up!

The true benefit of network IPS lies in what it can do for companies that
can’t keep their systems patched. This may sound negative, but it’s almost
as if the request for NIPS technology is analogous to the requestor
admitting that they cannot stay on top of system administration.

For anyone willing to make this admission, however, the benefits of network
IPS are quite significant. Consider a medium to large sized company where
upper management doesn’t see the need for additional (see enough) systems
and/or security administrators. (This shouldn’t require much imagination, by
the way).

In an environment like this, vulnerabilities are likely to go unpatched for
weeks, months, or even years – even in the Internet-facing areas. Many
things can lead to machines not getting patched in these sorts of companies
– developers claiming that the main bread-winning app will break if the
patches are applied, administrator fear of being the cause of downtime,
apathy, stupidity – take your pick.

The point is, a strategically-placed network IPS – say in front of the
Internet-facing environment – can do something absolutely magical for an
systems/security staff — it can buy them time. Consider a site passing a ton
of traffic into their DMZ via multiple protocols to dozens or hundreds of
machines, and let’s say several of the applications being interfaced with
have known vulnerabilities. If the person in charge knows that they lack the
ability to patch all the vulnerable systems (inexcusable, I agree), then the
NIPS system can effectively serve as a multi-patch gateway.

If the NIPS product has a signature for 34 of the 42 exploits that could
potentially root 180 machines, then putting a network IPS at the bottleneck
becomes an alternative to 1. getting cracked, and 2. patching. Make no
mistake, though – patching is the better solution, but I recognize that
there are sometimes circumstances that prevent good admins from doing their
jobs. There are also situations where someone who knows the risks lacks the
funding to bring admins aboard that can help them keep their systems in top
shape. For either of these cases, network IPS seems like an acceptable evil.

Conclusion

So that’s the gist of it – if you keep your systems up to date and have a
solid security team, NIPS is nearly worthless. The things you need to worry
about are layering your defenses and preparing for the exploits you don’t
know about.

If, however, you’re not getting support from management and you know you’re
unable to keep your systems patched like you should – a network IPS may be
something to look into. It’s a band-aid, to be sure, but if it keeps your
company out of the papers then it very well may be worth it.