Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Why You Need A New-Generation Intrustion Protection System

Signature-based Intrusion Prevention Systems (IPSs) are being out-evolved. New vulnerabilities and new exploits provide attackers with a window to launch fast-spreading worms and malware that blow by signature-based detection systems. Enterprise networks are vulnerable until their IPS vendors capture, analyze, and identify the new attack. And while new signatures can be deployed within hours, that's still too slow in the age of SQL Slammer, a Windows worm that doubled the number of compromised hosts every 8.5 seconds and infected approximately 75,000 computers in 30 minutes.

The fact is, today's threats have advanced beyond the capabilities of signatures to address them alone. IPS vendors, especially those in the Host-based IPS (HIPS) field, are stepping up to the challenge with a range of technological approaches that close this window of vulnerability.

Venerable server and desktop HIPS technology from Cisco Systems, McAfee, and Sana Security can monitor host behavior at the kernel level and shut down processes that tip toward malicious or unwanted actions. These products, with their ability to stop both known and unknown attacks without the use of signatures, represent the incumbent HIPS technology today.

However, a new generation of products is emerging to challenge the notion that any piece of software can effectively discern bad behavior from good. These upstart HIPS products, also aimed at servers and desktops, take a variety of approaches, including enforcing essential programming conventions to prevent buffer overflows, creating a protected subsystem to run untrusted programs without affecting a host's critical files or registries, and implementing strict enforcement agents that only allow approved executables to run. These products also avoid some of the problems of behavioral analysis, such as the need to train and retrain agents and the risk of false positives.

Both the incumbent and start-up technologies aren't attempting to get rid of signature detection, but they do provide what signatures can't--namely, advanced protection against unknown exploits, extra layers of defense for critical servers and desktops, and protection for assets during the lag time between newly announced vulnerabilities, patch releases, and patch deployment. That said, these products all have drawbacks that architects must consider when evaluating a HIPS solution to bolster existing defenses.

  • 1