Richard Stiennon Intrusion Detection Is Dead, Long Live Intrusion Prevention These materials can be reproduced only with Gartner’s written approval. Such approvals must be requested via e-mail — firstname.lastname@example.org.
Counter to the philosophy that it is impossible to protect a network from all of the attacks leveled against it, the enterprise protection model includes elements to make the inside of an enterprise”hard and crunchy.” This includes firewalls and switches to segment the network, access controls to protect applications and data, encryption to protect data, anti-virus, vulnerability scanning and remediation.
The firewall market became real with the introduction of the first stateful inspection firewall. Every enterprise connecting to the Internet needs a perimeter defense that blocks access to key services and resources from any but approved sources. Connection-based blocking is not enough. Every exposed Web application faces attacks on multiple fronts, including authentication, Web server vulnerabilities, application vulnerabilities and denial of service attacks. At the same time there has been a theory that the number of vulnerabilities and of savvy hackers will always mean that protection is not possible, thus justifying the need for constant monitoring. Watch as four segments of the IT security field converge at the top of “network security nirvana.” Application defense products from Sanctum, Stratum8, Array Networks, Ingrian, Fortinet and NetContinuum are focused on plugging the port 80 hole in the firewall. To do this, their products must look deep into every session for common attack signatures, such as those associated with Code Red or Nimda. Applying rules to the packet stream is a firewalling function carried out to its logical extreme. To do this, the devices must terminate Secure Sockets Layer (SSL) sessions. Content switching vendors: F5, Bluecoat (formerly Cacheflow) and others have long been able to look at packet payloads. These vendors are also approaching the goal of a single security device that load balances, routes content and applies rules based on content while handling SSL session negotiation. Strategic Planning Assumption: By 2005, 90 percent of Global 200 gateway firewalls will do 100 percent deep packet inspection, allowing them to block application attacks (0.8 probability).
Firewalls have always done a good job of defending the network perimeter. However, there has been a perception that they were not enough: wile hackers could slip by the simple rule sets or the misconfigured policies in a firewall. IDSs were proposed as the suspenders in the “belt-and-suspenders” approach to perimeter defense. Intrusion detection poses a problem for most IS departments. IDS agents have to be monitored 24x7 to be effective. IS departments dabbled in IDS but were aghast at the level of constant support it needs. This gave rise to the managed security service market. Network IDS vendors are in a constant scramble to decrease false positives, while increasing throughput. Products have been developed that approach the problem of internal defense from a more-logical standpoint. A security administrator would rather install agents that act to protect the hosts and networks on which they reside than agents that report when malicious activity is occurring. Intrusion prevention is not an easy task. It still requires efficient detection of malicious attacks. Well-designed network agents should use a combination of signature, protocol anomaly detection and traffic analysis to minimize false positives. The concept of state awareness will allow network agents to scale to the multigigabit speeds needed. They should be in line to allow them to drop sessions. Host intrusion-detection agents should lock down the OS and applications that reside on them. Violations of policy at the system call or network layers should be blocked.
The intrusion detection market is at a turning point in its evolution. Network-based intrusion detection performance problems have caused enterprises to reconsider large investments in widespread internal deployment and limit deployment to a small number of sensors on the perimeter of the trusted network. Host-based intrusion detection eliminates many of the problems that network-based IDSs face, but it suffers from the enormous expense of ensuring that every corporate server always has IDS software installed and operational. Increases in network processor performance, advances in algorithms to reduce false alarms and innovative thinking by new market entrants will drive the IDS market toward blocking attacks, rather than simply detecting them. Although Internet Security Systems continues to hold a leadership position, it has decreased in execution; Cisco has increased its position on both axes (Ability to Execute and Completeness of Vision). Cisco leveraged its strong networking position with its IDS blade architecture to enable clear segmentation of device control and correlation. Enterasys Networks greatly advanced its Dragon product in the market, but its recent corporate problems have called into question its stability as a solution provider in the long term. Gartner has seen a significant penetration in the MSSP space and a strong focus on this space by Enterasys. Enterasys’ lack of firewall integration will continue to limit a rounded security offering in its Secure Harbour solution.
High-speed and highly available Web application systems rely on content switching to deliver Web documents and services consistently. The content switching providers, namely, Cacheflow, Cisco (Arrowpoint) and F5, needed to produce hardware appliances that were aware of HTTP headers and URL information. This means that these devices already have the ability to inspect the packet payloads needed to do Layer 7 defense. Cacheflow was the first to recognize the security implications of its technology and underwent a name change to reflect that. F5 is marketing a 100 percent inspection engine, looking for partners with the security domain expertise to leverage its technology. Cisco is apparently waiting in the wings. As a leading firewall vendor (PIX), Cisco will be the slowest to respond to an inflection point in the firewall market. Strategic Planning Assumption: By 2005, 90 percent of enterprises that use content switching will also make use of security features in these devices (0.7 probability).
The often-referenced hole in the enterprise firewall is the rule that allows any source IP address to Webserver over port 80. This means that the Web server is left to its own devices and is exposed to the Internet with no protection. This leads to many attacks, including Code Red and Nimda, which targeted specific vulnerabilities. Application defense providers such as Array Networks, Ingrian, Stratum8, Netcontinuum and Fortinet have recognized, first, that they have to add more features such as SSL termination and authentication, and, second, that deep packet inspection is required to apply rules to the content stream of a connection. They start to look a lot like the content switches at this point. Using the technology developed to provide mostly Web defense, but looking forward to protecting against XML-based attacks such as PowerData’s products, all these vendors must take the next step: apply rules to all network traffic protocols, not just HTTP. At that point, these devices become deep packet inspection firewalls. Strategic Planning Assumptions: None of the network application firewall vendors will survive beyond 2005 as stand-alone entities (0.6 probability). By 2005, network application firewall vendors will evolve into broader gateway defenses or be acquired by the firewall vendors (0.6 probability).
Firewalls are the most-effective defense against cyberintruders on the network, and they are becoming increasingly better at blocking network-based attacks. Stages in firewall evolution include: Access control lists : Routers and gateways make decisions based on source and destination IP addresses, as well as the protocol that a connection is attempting to use. Each protocol is associated with a different port number — for example, port 80 for HTTP or port 110 for Post Office Protocol. Many gateways simply block all access, with exceptions for standard protocols such as HTTP for Web access and Simple Mail Transfer Protocol for e-mail. However, attack applications can be tunneled over port 80 to circumvent the firewall. Application proxies: There is vendor-induced confusion regarding the relative security levels that are provided by application proxies vs. other methods. An application proxy firewall is a software application that runs on a server between a network and the server — for example, an HTTP proxy for a Web server. Deep packet inspection firewalls are the next evolutionary step in firewall development. Strategic Planning Assumption: By 2006, enterprises that rely only on proxy or stateful packet inspection will experience successful application-layer attacks at twice the rate of enterprises that use leading deep packet inspection approaches (0.6 probability).
During the first half of 2000, CheckPoint maintained leadership across the major firewall segments (enterprise and appliance) and continued to introduce features that network security managers require. CheckPoint’s major challenges are securing even support through value-added resellers (VARs) and overcoming pricing competition from emerging vendors. Cisco increased its challenge to CheckPoint by broadening the Pix line of firewalls to the high and low ends. Gigabit throughput is claimed on the high end. However, Cisco lags significantly in integration to third-party products and in the capabilities to manage multiple firewalls. Microsoft introduced Internet Security Acceleration Server for Windows 2000. This is a very robust feature set that may lead to problems. Symantec has done a good job of enveloping and supporting Axent’s security products. Netscreen continues to succeed at the high end “in the cloud.” Appliance firewalls are being challenged from below by small office/home office (SOHO) solutions from Linksys and others. Enterprises should evaluate firewall products by looking at the provisions for managing multiple firewalls, integration to other best-of-breed security products and coverage across the major firewall segments. Source: Gartner Research
Source: Gartner Dataquest
Recommendations Delay large investments in IDS and event management Pilot application defense and network IPS products Harden key servers Lock down access control
Security Forum ATC July 24, 2003
The Gartner IT Security Director Membership Program
John Pescatore and Richard Stiennon on “The Death of IDS”
Rich Mogul on California Data Privacy law
Intrusion Detection Is Dead, Intrusion Prevention is Still-born. The Firewall is Re-Born Richard Stiennon
Enterprises are moving toward “hard and crunchy” on the inside
Gateways and firewalls are finally plugging the holes
The intrusion detection system is at the end of life, we are winning the arms race with hackers.
The Enterprise Protection Model Firewalls Vulnerability Assessment Network Intrusion Prevention Host Intrusion Prevention Antivirus Security Management
The Four Paths to Network Security Nirvana IDS Firewalls Content Switching Application Defenses
IDS Giving Way to IPS IDS Mountains of data Hours of labor Heaps of alerts False positives Incident response nightmares Intrusion Prevention Drop protocol attacks Block known attacks Less time tracking down “what happened?”
IDS Magic Quadrant 1H02 Visionaries Niche Players Challengers Leaders (From “Intrusion Detection System 1H02 Magic Quadrant,” 1 August 2002) As of June 2002 Completeness of Vision Ability to Execute Symantec Cisco Systems Enterasys Networks Tripwire Recourse Technologies Internet Security Systems NFR Security Entercept Security Technologies Intrusion
The Firewall Vendors Miss the Inflection Point Hey, wait for me!
1H03 Firewall Magic Quadrant Toplayer Secure Computing Microsoft Cisco Systems Symantec Check Point SonicWALL NetScreen As of 6/03 Ability to Execute Completeness of Vision Challengers Leaders Visionaries Niche Players TippingPoint Intruvert(NAI) Netcontinuum Fortinet Teros F5 Bluecoat iPolicy Kavado Mazu Array Sanctum Whale Radware Watchguard
Convergence, Really Definition: Deep packet inspection firewall assembles (normalizes) packets and inspects them for compliance with a set of rules. Rule classes: Source/Destination/Service Attack Signature Protocol Anomaly Behavior Antivirus Custom content inspection