What is This Thing Called "IPS"?
As a security professional with over 10years of experience in both government and private industries, I amstill surprised at how little awareness the industry has about thetechnology, intent, and challenges surrounding intrusion prevention. Iintend to use this blog (and others moving forward) to lay out a basicunderstanding of what this thing called "IPS" is, from an analyst'spoint of view. Firstly, let's start with some simple explanations andlay to rest the history of the differences between the terms "IPS" and"IDS". I often hear these words used interchangeably in conversations,meetings, papers, and email threads; yet, there is a clear differencein these terms, based on the evolution of the technology.
In the early days of network traffic pattern patching, intrusiondetection software (IDS) was used to match a set of specified stringswithin a network stream and alert and/or log the event for the user.This information was used by system administrators to detect cleartextpasswords and confidential phrases, perform minimal malware searching,and execute other basic tasks. In the early generations of thistechnology the pattern-matching engines and signature language werevery basic, resulting in simple signatures. This technologygap—combined with the inability of IDS to do anything more than justlog events—gave it a bad name. As a result, we often heard commentslike "it creates too much noise," or "it just generates a bunch ofFPs," or "it’s too expensive to maintain because of the logs." We stillhear a lot of this today and in many ways it’s true because of the lackof understanding.
Now, fast forward three generations of this technology. Today,across the commercial software industry, these pattern-matching engineshave been adapted for host-based solutions and have become much faster.The signature languages are vastly more expressive than the early yearsand in some cases can resemble a full-blown programming language. Manyvendors are even performing file-based and protocol-based decoding, inmuch the same way antivirus vendors did in the early days with filedecomposition. In addition, many vendors are finding creative ways ofpreventing false positives from occurring before signatures arereleased. Some of these methods include dedicated proactive networktraffic collection systems, signature linkages with host-based data(for example, ties to the originating application .exe or .dll), andeven some use of confidence ratings that are based on secondary engines(for example, antivirus or spyware programs).
As the technology matured and signatures became much more confidentand efficient, it was realized that the age-old idea that IDS was meantfor just logging would soon be washed away. The industry had finallyrealized that IDS should be blocking and preventing these patterns,rather than just logging them! Hence, the idea of intrusion preventionsystems (IPS) was born. Of course, the same concerns about falsepositives are still around, but on a volume basis, false positivenumbers have dropped off sharply. Many commercial vendors are seeingcustomer reports of false positives drop down into the single digits ona monthly basis. This is a massive shift in efficiency from its rootsas a basic string matching technology.
Just like any other immature technology, IDS received a bad rap fora long time—mostly from shortsighted, “my glass is half full”,so-called experts who can only see what can't be done, rather than whatcan be. In an almost complete about-face, these days I often seerequests come through, not for false positive inquiries and criticism,but for faster and broader IPS coverage against vulnerabilities,spyware, unwanted applications, and other threats that travel over thenetwork. Someday soon, IPS will see the same shift in demand forresponse times that antivirus has experienced.
As I sit back and watch these new content engines come online, it’sfunny to see them going through the same hurdles IDS went though yearsago. For users of these and any other immature technologies, I say “bepatient” and realize that identifying the problem only creates the needfor a solution and no matter how much these "experts" of today cryfoul, they all know that these technologies are here to stay, for now,and mature like any other solution.