Eight questions to ask about your intrusion security solutions.
The number vulnerabilities found in networks are reaching an all-time high; so high that networking intrusion security has become a boardroom priority of sorts. With so much at stake, it’s important to carefully evaluate your options when selecting an intrusion security system for your specific business.
This helpful resource uncovers eight (8) essential questions to ask your intrusion security system vendor before you commit:
1. Is your intrusion security solution in-band?
In-band security, while essential, is merely the price of admission for network security. But it doesn’t
guarantee network uptime and performance, or that your security coverage will be broad, accurate and up-to-date. Prevention systems must be designed from the ground up to provide both high- performance networking (availability and throughput) and high-performance security (broad, accurate, up- to-date coverage). Detection systems were never designed to be networking devices.
2. Does your intrusion security solution support maximum network and application availability?
Your network shouldn’t go down just because one of your in-band security devices fails. Your intrusion
security system should ensure that network traffic always flows at wire speeds, even in the event
of a network error, internal device error, or even complete power loss.
3. Does your intrusion security solution offer the performance needed to deeply inspect traffic without slowing down your network or business applications?
There are two components to network performance:
throughput and latency. As the intrusion security devices perform checks on each packet, the security
system must run at a speed equal to the network segment in which it is installed. In other words,
in-band security devices should offer switchlike throughput and speeds of up to 10 Gb/s to support
new 10 Gb/s networking. Second, intrusion security systems should have low latency—the packet delay should be no more than 100 microseconds- regardless of the number of filters applied.
4. Does your intrusion security solution protect not just your network perimeter but also key points in the core of your network?
The notion of placing intrusion prevention systems only at the WAN perimeter is quickly becoming
outdated because there are simply too many entry points into modern networks. There is a very diverse
set of assets located at a variety of locations within the network, and each of these network locations
has different performance requirements. What’s more, attacks can come from inside the network as
well as from outside. Therefore the need to inspect and remove malicious traffic at high throughput traffic points has never been greater. Network-intrusion devices should be placed not only at the perimeter but also between major network segments and in front of data centers and demilitarized zones.
5. Does your intrusion security solution provide attack coverage that is broad and deep?
The number, variety, and sophistication of security attacks are multiplying each year, so the coverage
of your prevention system must be broad and deep.This means that your IPS (Intrusion Prevention System) should be able to stop all kinds of attacks, including worms, viruses, Trojans, denial-of-service attacks, peer-to-peer bandwidth floods, spyware, phishing, cross-site scripting, SQL injections, PHP file includes, VoIP attacks, and more.
In order to stop all known and new unknown attacks that target operating system and application
vulnerabilities, your security system must also provide the latest vulnerability filters. These
vulnerability filters act like a “virtual software patch,” preventing all known and unknown attacks
on the software vulnerability. However, identifying application vulnerabilities and developing filters to
close them requires a sophisticated security research team that is focused on vulnerability research.
6. How accurate is your attack coverage? Does it block bad traffic without blocking good traffic?
Your IPS attack coverage must not only be broad and deep, it must also be highly accurate.
Otherwise, it could block good traffic (known as false positives) or allow bad traffic (known as false
negatives). The ability to design highly accurate filters that block a broad range of malicious traffic
types is extremely critical for any intrusion security vendor. In fact, one might argue that an IPS is only
as good as the filter set it has enabled to block malicious traffic from entering your network.
7. How timely and up to date is the attack coverage?
Attack protection that comes too late is no better than no attack protection at all. How-and how often-does your security vendor update its filters? And does your security vendor have the researchers and expertise needed to constantly identify and prevent against emerging threats-even before vulnerabilities are discovered by software companies.
A good example is HP TippingPoint DVLabs, a world-renowned security research organization
that was recently recognized as the fastest-growing discoverer of new security vulnerabilities, and
for having industry leadership in the percentage of Microsoft® vulnerabilities discovered, as well as holding the lead in high-severity vulnerability discoveries. In fact, in the last four years, DVLabs’
Microsoft vulnerability filters have been delivered on average 52 days before the Microsoft patches
became available.
8. Can your security vendor refer you to customers who are running in-band prevention devices with a high percentage of filters turned on?
It’s easy to talk about intrusion prevention, but can your vendor prove that it offers effective IPS in a real-world environment? Ask your vendor to put you in contact with multiple customers who are running in-band devices designed to block unwanted traffic. Be sure to ask reference customers not only about the total number of filters deployed but also about how many are turned on to block rather than just alert. Fewer filters in block mode might mean the vendor is not confident that its filters will minimize false positives. Then ask the reference customer how many attacks the systems have revented. With this information, you’ll discover whether the vendor is trying to sell retrofitted etection systems or systems that are designed from the ground up to prevent attacks. Fewer filters in block mode might mean the vendor is not confident that its filters will minimize false positives.
This helpful resource uncovers eight (8) essential questions to ask your intrusion security system vendor before you commit:
1. Is your intrusion security solution in-band?
In-band security, while essential, is merely the price of admission for network security. But it doesn’t
guarantee network uptime and performance, or that your security coverage will be broad, accurate and up-to-date. Prevention systems must be designed from the ground up to provide both high- performance networking (availability and throughput) and high-performance security (broad, accurate, up- to-date coverage). Detection systems were never designed to be networking devices.
2. Does your intrusion security solution support maximum network and application availability?
Your network shouldn’t go down just because one of your in-band security devices fails. Your intrusion
security system should ensure that network traffic always flows at wire speeds, even in the event
of a network error, internal device error, or even complete power loss.
3. Does your intrusion security solution offer the performance needed to deeply inspect traffic without slowing down your network or business applications?
There are two components to network performance:
throughput and latency. As the intrusion security devices perform checks on each packet, the security
system must run at a speed equal to the network segment in which it is installed. In other words,
in-band security devices should offer switchlike throughput and speeds of up to 10 Gb/s to support
new 10 Gb/s networking. Second, intrusion security systems should have low latency—the packet delay should be no more than 100 microseconds- regardless of the number of filters applied.
4. Does your intrusion security solution protect not just your network perimeter but also key points in the core of your network?
The notion of placing intrusion prevention systems only at the WAN perimeter is quickly becoming
outdated because there are simply too many entry points into modern networks. There is a very diverse
set of assets located at a variety of locations within the network, and each of these network locations
has different performance requirements. What’s more, attacks can come from inside the network as
well as from outside. Therefore the need to inspect and remove malicious traffic at high throughput traffic points has never been greater. Network-intrusion devices should be placed not only at the perimeter but also between major network segments and in front of data centers and demilitarized zones.
5. Does your intrusion security solution provide attack coverage that is broad and deep?
The number, variety, and sophistication of security attacks are multiplying each year, so the coverage
of your prevention system must be broad and deep.This means that your IPS (Intrusion Prevention System) should be able to stop all kinds of attacks, including worms, viruses, Trojans, denial-of-service attacks, peer-to-peer bandwidth floods, spyware, phishing, cross-site scripting, SQL injections, PHP file includes, VoIP attacks, and more.
In order to stop all known and new unknown attacks that target operating system and application
vulnerabilities, your security system must also provide the latest vulnerability filters. These
vulnerability filters act like a “virtual software patch,” preventing all known and unknown attacks
on the software vulnerability. However, identifying application vulnerabilities and developing filters to
close them requires a sophisticated security research team that is focused on vulnerability research.
6. How accurate is your attack coverage? Does it block bad traffic without blocking good traffic?
Your IPS attack coverage must not only be broad and deep, it must also be highly accurate.
Otherwise, it could block good traffic (known as false positives) or allow bad traffic (known as false
negatives). The ability to design highly accurate filters that block a broad range of malicious traffic
types is extremely critical for any intrusion security vendor. In fact, one might argue that an IPS is only
as good as the filter set it has enabled to block malicious traffic from entering your network.
7. How timely and up to date is the attack coverage?
Attack protection that comes too late is no better than no attack protection at all. How-and how often-does your security vendor update its filters? And does your security vendor have the researchers and expertise needed to constantly identify and prevent against emerging threats-even before vulnerabilities are discovered by software companies.
A good example is HP TippingPoint DVLabs, a world-renowned security research organization
that was recently recognized as the fastest-growing discoverer of new security vulnerabilities, and
for having industry leadership in the percentage of Microsoft® vulnerabilities discovered, as well as holding the lead in high-severity vulnerability discoveries. In fact, in the last four years, DVLabs’
Microsoft vulnerability filters have been delivered on average 52 days before the Microsoft patches
became available.
8. Can your security vendor refer you to customers who are running in-band prevention devices with a high percentage of filters turned on?
It’s easy to talk about intrusion prevention, but can your vendor prove that it offers effective IPS in a real-world environment? Ask your vendor to put you in contact with multiple customers who are running in-band devices designed to block unwanted traffic. Be sure to ask reference customers not only about the total number of filters deployed but also about how many are turned on to block rather than just alert. Fewer filters in block mode might mean the vendor is not confident that its filters will minimize false positives. Then ask the reference customer how many attacks the systems have revented. With this information, you’ll discover whether the vendor is trying to sell retrofitted etection systems or systems that are designed from the ground up to prevent attacks. Fewer filters in block mode might mean the vendor is not confident that its filters will minimize false positives.
