Network Defense: Intrusion Prevention Systems
Here’s a quick network security quiz: When it comes to detecting and stopping IT threats, is it better to position intrusion prevention systems:
- On the network
- At particularly important devices on the network
- All of the above
For small businesses, the correct answer is “All of the above,” according to IT security specialists, who say more small businesses are figuring that out and installing IPS accordingly.
Network intrusion prevention systems (IPS) are hardware appliances that sit on a company’s intranet to inspect incoming Internet traffic and block anything malicious, be it a worm, virus, or spyware. IPS can also block attacks that originate inside an intranet. IPS complements firewalls, anti-virus software, and other security measures small businesses take to keep their networks safe, says Elisa Lippincott, a spokeswoman for TippingPoint, an Austin, Texas, IPS maker. “We have some customers using our box to protect their firewall,” Lippincott says.
By contrast, host IPS works at the device level, doing its job from inside a server, desktop or other machine attached to a network.
Although large companies have long relied on IPS for network security, more small businesses are starting to use it. They’re being propelled by technical upgrades that prevent the false alarms that previously dogged the appliances, as well as other improvements, such as behavior-based IPS that looks for traffic patterns that could signal an attack, according to security industry sources.
Small and mid-sized businesses are also being pushed to using IPS by industry regulations that require it, such as the PCI Security Standards Council’s Data Security Standard, security measures any company that processes credit card payments have to follow, according to security industry sources. An updated version of the council’s standard is expected to debut this month. “We’ve seen tremendous interest down market driven by PCI” standards, says Michele Perry, chief marketing officer at Sourcefire, a Columbia, Md., network IPS vendor.
Depending on the size of the business, small companies either buy and set up IPS themselves, or subscribe to it as an add on from their firewall vendor. They can also purchase it from a regional or national managed security services provider (MSSP) such as or Clone Systems, or from a business broadband carrier such as Verizon Business.
Network IPS and host IPS
Which ever way they go, small businesses should consider using both network and host IPS. Network IPS should come first because it casts the widest net, says Greg Young, research vice president with Gartner, the Stamford, Conn., technology researcher. With network IPS, if a virus is detected, the system will block traffic long enough to allow IT staff to make sure anti-virus software is up-to-date on individual workstations, says Lippincott, the TippingPoint spokeswoman. Another advantage of network IPS: since it’s installed on the network it doesn’t slow down individual devices’ computing speed the way host-based IPS could, Lippincott says.
However, host IPS is a smart option for machines where critical information is stored, or for devices that have to reside outside a company’s firewall, such as servers used to handle online credit-card transactions. Host IPS is the only way to protect devices like laptops that leave the network, says Sean Martin, a vice president at SkyRecon Systems, a French maker of host IPS solutions. Host IPS also makes sense in situations where a company can’t put new devices on a network but can change what’s on a server, Gartner’s Young says. But put it on the network first, he says. “Threats come through the network first so stop them there first.”
IPS prices range from free open source products such as Snort, which has been downloaded 3 million times, to tens of thousands of dollars for applications for mid-sized businesses running multiple Internet traffic-intensive applications for hundreds of users. Or companies can pay by the month or annually for IPS from a MSSP or other third party.
Whether it’s network-based or host-based, small businesses need IPS, maybe even more than larger companies, Young says. “Worms don’t discriminate.”
Sidebar: Intrusion Prevention Systems for Small Businesses
The following vendors offer network or host IPS for small businesses as stand-alone products or part of a multifunction security solution:
- Check Point Software Technologies -- The UTM-1 product line includes firewall, VPN, IPS, gateway antivirus, anti-spam, URL filtering, and IM and peer-to-peer blocking and is marketed primarily to the top end of mid-sized companies and branch offices of large companies.
- Cisco ASA Advanced Inspection and Prevention Module -- An IPS hardware appliance for Cisco routers. According to Gartner’s June 2008 report on multifunction firewalls for small and mid-sized businesses, Cisco has struggled to adapt enterprise-scale hardware to small businesses, but the report says a long-term road map for an improved small business console "is encouraging.”
- Fortinet -- A multifunction firewall appliance with antivirus, anti-spam, URL filtering, and IPS services offered by annual subscription after the first year.
- Secure Computing SnapGear -- A multifunction network security device for small and mid-sized businesses. In late September, Secure Computing agreed to merge with McAfee, which offers the McAfee Network Security Platform.
- http://www.skyrecon.com/>SkyRecon Systems -- Offers host IPS as part of a unified endpoint security solution.
- SonicWall -- The multifunction network device maker offers IPS as an add-on to its TZ series for small and mid-sized businesses.
- Sourcefire -- The commercial version of a pioneering open-source network IPS created by programmer Martin Roesch in 1998. “Snort is the engine and Sourcefire is the whole car put together,” says Perry, Sourcefire’s chief marketing officer.
- TippingPoint -- Offers a behavior-based network IPS hardware appliance.
- WatchGuard Technologies -- Offers a subscription antivirus, IPS service for its X Core E-Series multifunction network security devices for small and mid-sized businesses.