Security Watch: Don't Get Bitten by NIPS Hype

Putting aside the vendor's obvious confusion about what the term risk means to most veteran security professionals, the casual reader might wonder what these products actually do. Will they patch my systems? Fix my vulnerable e-commerce applications? Maybe train my developers? How about eliminate my internal threats? Audit my logs? Alleviate my authentication woes?

Or will these products simply sit inline, run my network traffic through a set of inspection algorithms--the same technology base that has my NIDS (network-based intrusion-detection system) devices burying me in false alerts, by the way--and attempt to block bad network streams?

Truth be told, the message is both sexy and horribly misleading. These products don't eliminate your vulnerabilities, they just help stop certain types of attacks. Although there's nothing wrong with a tactical solution that adds a layer to your defenses, let's call a spade a spade: This isn't revolutionary technology; it's evolutionary, and its mutation is far from over.

Clearing the Air

Let's examine some of the predominant factors swirling around the great NIPS debate.First, device placement. January's MS SQL worm outbreak was a painful demonstration of the liability of unpatched internal systems. Few organizations realized that MSDE (Microsoft SQL Server Desktop Edition) was vulnerable and that it was installed on so many desktops. The subsequent MSDE infections wreaked internal havoc that could not be addressed by perimeter-centric security.

Relying on a NIPS to prevent all attacks is impractical and foolhardy. These devices have geographic restrictions, so unless you have NIPS boxes in front of everything--both internal and external assets--you'll get limited benefits from the technology.

Second, jurisdiction. Does the team that manages your firewalls also manage the IDSs? If so, you're good to go with a NIPS device. If not, you'll have to decide who will manage them--the firewall team or the IDS team. Will NIPS devices be used for network access control, policy compliance or both? Will they provide tangible value or become a new forum for some of the most high-tech fingerpointing contests you can imagine?

Third, cost-effectiveness. If your network access-control devices aren't doing the job, shouldn't your firewall vendor step up to the challenge? Do you really want to pay for both a firewall and a NIPS? If you have a high-availability environment, would you be expected to buy two or more devices for each pair of firewalls? Given current economic conditions, we want fewer devices, not more.

Finally, technological challenges. We're talking about a technology that's close kin to NIDS devices, which are young and infamous for overwhelming their operators. Add to that the need for mature state tables and low-latency forwarding, toss in the ability to proactively sabotage your production network traffic, and you've got the recipe for the disaster I was talking about.Although I may sound cynical, I'm actually bullish on network intrusion-prevention technology ... in the form of better firewalls. I'm not buying into the shock marketing being spewed by vendors, and neither should you. NIPS is no silver bullet. It's the by-product of industry shortcomings, and you should view it as such.

Greg Shipley is the CTO for Chicago-based security consultancy Neohapsis. Write to him at [email protected].

Post a comment or question on this story.