Real World Intrusion Prevention (IPS)

WHITE PAPER
For the Demands of a New Security Reality

Contents Introduction criminals by stealing and selling

Introduction...............................................1 This white paper addresses three information. To compound the
primary areas that organizations problem further, the risk of being
The New Reality........................................1 caught is low. For example, how
must consider when formulating
Where Intrusion Prevention Comes In......2 network security strategies and is a Botnet attack traced crafted
evaluating possible solutions for by a Romanian teenager using
Real World IPS Insights.............................3
intrusion prevention. a machine in Bolivia to attack a
In-Band Solutions.......................................3 bank server in the United States?
Blocking Malicious Traffic...........................4 Even if the attack could be traced,
1. First, what are the key network law enforcement agencies are
Staying Ahead of the Threat.......................5 security challenges facing unlikely to understand the nature
Ease of Use...............................................6 enterprises today and how of the crime. In the meantime,
have they evolved over the past organizations may end up on
Real World Wrap Up...................................7 few years? the front page of the Wall Street
Summary...................................................7 2. Second, what are the criteria Journal or Financial Times for less
for an effective IPS solution than positive reasons.
within the context of a new
security reality?
So what should organizations
3. Third, what insights can be do? It’s a complex problem and
gained from the experience of most organizations do not have
enterprises already deploying endless staff and budget to
IPS solutions in the real world? adequately protect their networks.
In fact, whatever an organization’s
“This survey shows great variability This paper will explore what revenue is, odds are that nearly
among IPS vendors with regard organizations can do to apply best five percent of that will be spent
to IPS security performance and practices and make the most of on IT and eight percent of the IT
ease of manageability. TippingPoint security budgets and resources. budget will be spent on network
and information security. Yet, there
outperformed all the vendors in the
is an ocean of point products
survey with strong showings across the The New Reality positioned as the latest quick fix. IT
board, including in-band deployments, In an age where e-commerce security faces a vexing challenge:
effectiveness of security filters, ease and business critical applications how to wisely spend precious
of IPS configuration, and repeat IPS are quickly becoming “Webified,” budget to provide maximum
purchase intentions.” security threats are morphing business assurance against an
Jeff Wilson faster than ever and the ever-changing threat landscape.
Principal Network Security Analyst membership and skill of the It comes down to one simple
Infonetics Research global hacking community are principle: automate everything
rising. Sophisticated scanning, associated with attack detection
penetrating and obfuscating tools and enforcement within reason,
and techniques are also more thereby leveraging precious IT
widely available. Worst of all, security staff and budget for other
hackers are now highly motivated projects. It may seem obvious, but
to penetrate networks, applications full security automation is much
and databases to steal information easier said than done. IT security
that can be sold for profit. It’s the decision makers must have clear
modern bank robbery and many requirements that guide them to
can easily become successful smart security investments and

1
 White Paper: Real World Intrusion Prevention (IPS)

definitive business assurance 2. Core Network Performance:

payback. Once an IPS proves that it delivers
the reliability to be placed in-
band, it must process and inspect
Where Intrusion Prevention traffic at multiple gigabit per
Comes In second rates of speed. The days
This is where intrusion prevention of only deploying IPS at the WAN
comes in. First, what is an perimeter to block a few exploit-
intrusion prevention system (IPS)? filter matched worms are gone.
An IPS is an Now, IPS solutions must be able
Figure 1: In-Band IPS Deployments vs. Out-of-Band Deployments in-band, real- to protect critical interior network
In -B an d O u t-of-B an d time traffic points including the data center,
100% 91.4%
classification major network segmentation
90%
and policy points, and even the network core
% In-Band IPS Deployments

80%
enforcement to provide an effective defense
69.7%
70%
67.5% 65.9% system – based against virtually any attack. To
60%
55.4% on deep packet consider IPS deployments at key
50%
44.6% inspection internal points, not only must
40% 32.5% 34.1% technology organizations be concerned about
30.3%
30%
– that blocks up-time, they must also ensure
20%
known and critical business application
8.6%
10%
zero-day attacks performance is not impeded so
0%
without human that their help desk isn’t buried
TippingPoint Cisco IBM ISS McAfee Sourcefire
intervention, with employee complaints.
Source: Infonetics Research IPS Survey - August 2008
and with
TippingPoint is deployed in-band 20-35% more than competition virtually no
3. Low Latency: Application
false positives
performance is not just a function
or application
of bandwidth. Low latency
traffic latency. In order to do this,
must also be ensured. This is a
a very stringent set of product
particularly tough challenge for
requirements must be met – which
security products. If a security
is exactly why most intrusion
product is going to run with
technologies and products remain
thousands of filters turned on
centered on out-of-band intrusion
to automatically block malicious
detection, rather than in-band
traffic, it must perform inspection
intrusion prevention. These
very rapidly, or packets will be
requirements include:
delayed, application response time
will be hindered and employees
1. In-Line Network Reliability: will complain.
To block in real time, a product
must be placed in-line, not off a
4. Broad Attack Coverage: The
tap or mirror port. This means the
fourth challenge focuses on
IPS must be designed from the
evolving broad coverage and speed
ground up to deliver the same
of coverage. To protect networks
reliability and network availability
from the growing number of
as existing routing and switching
sophisticated attacks, an IPS
infrastructure. And, if there is
must provide broad and deep
an issue, the IPS must be able
attack coverage. That means the
to gracefully and transparently
IPS must be able to stop worms,
remove itself from the network
viruses, Trojans, denial of service
without disrupting normal business
attacks, peer to peer bandwidth
traffic.
floods, spyware, phishing, Web

2
White Paper: Real World Intrusion Prevention (IPS)

application attacks (such as cross and commissioned by TippingPoint

site scripting, SQL injections, demonstrates that not all IPS
PHP file includes), VoIP attacks, vendor solutions deliver the same
and more. In addition, the filters results in the real world.
should be designed to cover
operating system and application
vulnerabilities, not just a few well- Real World IPS Insights- Direct
known attacks which can easily from Users
be fingerprinted with basic exploit So how do IPS solutions perform
signatures. Finally, these IPS filters in live customer
must be delivered in a timely networks? Figure 2: Number of IPS Filters Customers Report Enabling to Block/Alert
fashion on a regular basis – which A recent Filters in Block Mode Filters in Alert Only Mode

requires world class security Infonetics IPS 600 536

intelligence, filter writing, testing, study examines 509

and delivery – a skill set and customer 500

Avg # of Active Filters

process not widely available. experiences 400
with the 281
deployment and 300
5. Extreme Filter Accuracy: 210
management
Finally, the installation of IPS 200 143
121 134
of IPS
solutions at critical interior and 80
solutions from 100 47 58
perimeter network points means
a variety of
filter accuracy is of the utmost
manufacturers. TippingPoint Sourcefire IBM ISS Cisco McAfee
importance. If not, security
It examines, in Source: Infonetics Research IPS Survey - August 2008
personnel will be buried in piles of
particular, how TippingPoint customers enable 90% more filters to automatically block
alerts, many of which will be false
IPS solutions
alarms. In that world, automation
are purchased,
kills IT productivity because IT staff
deployed and
time is wasted chasing every false
used, including responses from
alarm, only to miss the real ones.
169 companies that use IPS
solutions within their production
From worms, spyware and networks. Respondents in this
phishing attacks to the latest study were “responsible for
Web application assaults, IPS managing or planning IPS products
vendors promise the kind of and services” for their respective
comprehensive network security companies. The respondent
not provided by other solutions. companies had an average of
Evaluating IPS products can be 9,418 employees each and are
extremely confusing, especially customers of one of five IPS
given that IPS and IDS vendor and vendors: Cisco, IBM-ISS, McAfee,
product claims all sound similar. Sourcefire1 and TippingPoint.

The value proposition of IPS In-Band Solutions

systems that rely on IDS-centric
Out-of-band devices can detect
technology can be misleading
network attacks, but can’t stop
until they are deployed and
them. In-band devices, on the
managed in a production network
other hand, provide real-time,
with real-world traffic. Intrusion
deep inspection and blocking of
Prevention Systems (IPS) are
data packets at layers 2 through
supposed to detect and block
7. Results from the Infonetics IPS
unwanted network traffic in
customer survey show distinct
real time. However, a survey
differences around in-band
conducted by Infonetics Research

3
 White Paper: Real World Intrusion Prevention (IPS)

deployments These concerns are valid for

Figure 3: Timeliness of Filter Updates
Semi-Weekly Weekly
among IPS any proactive, in-band network
vendors as security device. If in-band devices
TippingPoint 37% 50% 87% shown in Figure happen to fail – and if they’re
1. not engineered to gracefully and
Sourcefire 7% 67%
74% transparently remove themselves
Customers from the network like the
Cisco 22% 43% 65%
report that over TippingPoint IPS – then network
91 percent of availability can suffer. If in-band
IBM ISS 31% 25% 56%
all TippingPoint devices aren’t specifically designed
IPS appliances to deliver the performance
McAfee 19% 23% 42%
are deployed necessary to inspect and pass
in-band, versus traffic at speeds as fast as the
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Cisco, IBM-ISS network itself, the impact to
% of Respondents
and McAfee throughput and latency can
Source: Infonetics Research IPS Survey - August 2008

with less than harm application performance.

TippingPoint filter updates are timelier than the competition
70 percent Additionally, if hyper-vigilant IPS
each. systems end up blocking legitimate
traffic because of poor filter
accuracy; end users will inundate
These results stem from the an organization’s IT help desk very
fact that TippingPoint IPS quickly.
solutions are custom designed
to deliver industry leading
Well-designed IPS solutions
reliability, throughput and latency
like the TippingPoint IPS can
performance. The products
virtually eliminate these customer
range from 200Mbps to 5Gbps
concerns. It is evident from the
throughput performance and the
number of customers that install
TippingPoint Core Controller IPS
the TippingPoint IPS in-line that
solution delivers up to 10Gbps
TippingPoint’s customers are more
IPS inspection throughput, all
confident in their IPS solution’s
while introducing no more than 84
abilities to overcome key concerns
microseconds of network latency.
than other IPS vendors’ customers.

So what keeps some customers

from deploying their IPS appliances
Blocking Malicious Traffic:
in-band? Why are they reluctant to Accuracy Does Matter
deploy in-band given the benefits Another critical requirement for
that come from proactively in-band intrusion prevention is to
blocking malicious attacks? The enable a large number of filters
results of the Infonetics IPS to block rather than just detect
customer survey indicate the malicious traffic. Filter accuracy
primary reasons for out-of-band – or the ability of the IPS appliance
deployment include: to block malicious traffic without
blocking legitimate business
applications – gives customers the
• Concerns about reliability/
confidence to enable IPS filters in
availability
block mode.
• Throughput degradation
• Increased traffic latency
Figure 2 presents the average
• False positives or blocking of number of filters that IPS
legitimate application traffic customers enable to block
according to the Infonetics data.

4
White Paper: Real World Intrusion Prevention (IPS)

The TippingPoint IPS solutions, and in discovered Figure 4: Percentage of Customers Typically Applying All Filter Updates
more specifically TippingPoint’s software
security research team DVLabs, application 100%

are well known for delivering vulnerabilities. 90%

74%
IPS vulnerability filters that are These security 80% 69%

% of Customers Applying
extremely accurate and do not research 70%

all Filter Updates

block legitimate application traffic. and IPS filter 60%
54%
52%
In addition, these vulnerability production 50% 40%
filters provide complete protection capabilities give 40%
for all current and future exploits TippingPoint
30%
targeting the application the ability to
20%
vulnerability giving customers produce IPS
10%
great zero-day protection. Every filters before
TippingPoint IPS is shipped with vulnerabilities 0%
TippingPoint IBM ISS McAfee Cisco Sourcefire
“Recommended Settings” - are disclosed Source: Infonetics Research IPS Survey - August 2008

filters enabled by default to block by software More TippingPoint customers apply all filter updates
malicious traffic. vendors or
very shortly
thereafter.
Staying Ahead of the Threat
Another critical measure of an IPS
solution is the timeliness of filter Further, the Infonetics data found
development and corresponding that TippingPoint customers are
filter updates to protect against more likely to apply all the IPS
newly discovered or disclosed filter updates provided compared
software vulnerabilities. After all, to customers of other IPS vendors
“better late than never” is not (Figure 4).
what security administrators want
to hear from an IPS vendor. Figure Nearly three quarters of all
3 reports the number of customers TippingPoint
Figure 5: Customer Reporting of Zero-Day Threat Coverage
who responded that their vendor customers Pre-existing coverage Day of zero-day
updates IPS filter sets semi-weekly surveyed (74
or weekly. percent) report TippingPoint 50% 24% 74%
that they
A total of 87 percent of typically apply McAfee 15% 38% 53%

TippingPoint customers report that all of the IPS

they receive filter updates twice filter updates Cisco 10% 42% 52%

a week (37 percent) or weekly delivered by

(50 percent). Cisco customers TippingPoint’s IBM ISS 8% 33% 41%

reported 65 percent had at least DVLabs team.

weekly updates, and IBM-ISS This suggests Sourcefire 20% 20% 40%

and McAfee customers reported that TippingPoint

56 percent and 42 percent customers 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

respectively they received at least have more % of Respondents

weekly updates. confidence Source: Infonetics Research IPS Survey - August 2008

in their IPS TippingPoint has more Zero-Day threat coverage than the competition
vendor than
These results reflect TippingPoint’s competitors’
significant investments in its customers.
DVLabs security research team’s
IPS filter production and software
vulnerability research capabilities. All TippingPoint IPS filter
TippingPoint leads the IPS industry updates from DVLabs include
“Recommended Settings” that

5
White Paper: Real World Intrusion Prevention (IPS)

Figure 6: Turn-Up Time for IPS and Management Appliances

say they receive protection the day
of vulnerability disclosure. Twenty
Two Hour IPS Install Two Hour Mgmt. Appliance Install percent of Sourcefire customers
< 30 min 30 min - 2 hrs 2 - 4 hrs 4 - 8 hrs
report pre-existing Zero-Day
< 30 min 30 min - 2 hrs 2 - 4 hrs 4 - 8 hrs

90%
0%
90% coverage, followed by 15 percent
80%
11%
80%
3%

11%
of McAfee customers, 10 percent
70% 70% of Cisco customers and 8 percent

% of Respondents
% of Respondents

60% 34%
10% 12% 20%
60%
37%
8%
19% 20% of IBM-ISS customers (Figure 5).
50% 14%
50%
14% 12% 14%
13% 12% 13% 8%
40% 40%

30% 22% 30% 27%

22%
This is a reflection of TippingPoint’s
investments in DVLabs
27%
42% 35% 27%
20% 33% 20% 34% 33%

10%
10%
4%
11%

6%
10% 16%
8%
11% vulnerability research capabilities
and the corresponding fact that
0% 0% 3%
0% 0%
TippingPoint Cisco McAfee Sourcefire IBM ISS TippingPoint Cisco McAfee Sourcefire IBM ISS
76% 38% 38% 33% 17% 71% 43% 35% 33% 14%
TippingPoint leads the IPS industry
Source: Infonetics Research IPS Survey - August 2008 in discovered software application
vulnerabilities.
indicate exactly how TippingPoint
recommends deploying each new
filter by default. It is this filter Ease of Use
information that gives customers Network administrators are less
the confidence to automatically likely to deploy intrusion prevention
apply TippingPoint’s IPS filter systems across the expanse of
updates. their networks if the solution is
difficult to set-up and manage.
Sometimes, new IPS filters are The Infonetics survey reveals
delivered even before application manageability factors for each of
vulnerabilities are disclosed to the five IPS vendors, including
the public. When this happens, turn-up time and ease of IPS filter
the IPS vendor is providing “Zero- configuration.
Day” threat coverage. Hackers can
discover application vulnerabilities According to Infonetics’ Jeff
before software vendors deploy Wilson, “This area is among the
patches to cover them. These Zero- most significant findings in the
Day threats can leave networks study. Many IPS deployments get
with gaping security holes. To completely hung up at the initial
address these threats, IPS vendors configuration stage, or worse,
need to employ in-house teams devices are misconfigured and
of researchers dedicated to then fail to block attacks.”
conducting ongoing vulnerability
research and analysis and to
developing Zero-Day filters that TippingPoint customers reported
plug holes before software patches the fastest turn-up times, with 76
become available. percent stating that TippingPoint
IPS appliances can be installed
in two hours or less. Thirty-eight
How do IPS vendors compare percent of Cisco and McAfee
on Zero-Day threat coverage? customers say they can turn-up
According to the Infonetics their IPS devices in two hours.
survey data, half of TippingPoint Only seventeen percent of IBM-
respondents report they receive ISS customers report two-hour
Zero-Day threat protection – two to set-up success.
three times as many as the closest
competitors. Another 24 percent

6
White Paper: Real World Intrusion Prevention (IPS)

Following deployment, initial and finds that 30-

Figure 7: Ease of Configuring IPS Filters
ongoing IPS filter configuration 45 percent
Light Effort Moderate Effort Significant Effort
is critical to getting the most of customers 3%
out of the IPS solution. It is for some IPS 100%

also important to manage and vendors still 90% 12%

26%
32% 14%
deploy these filters with minimal do not install 80%
0%

% of Respondents
investment of IT resources. The these products 70%
Infonetics study categorized IPS in-band with 60%
filter configuration in three levels: large numbers 50% 66% 53% 65%
56% 60%
of filters 40%

Light Effort: able to navigate the enabled to 30%

filter inventory, apply filters to block malicious 20%

22%
segments, and activate policy traffic. They 10%
15% 14% 13%

enforcement in an efficient continue to use 0% TippingPoint IBM ISS McAfee Cisco Sourcefire
manner, quickly and independently them out-of- Source: Infonetics Research IPS Survey - August 2008

from vendor assistance in the band merely to

TippingPoint’s filters are three times as easy to configure
time-frame expected detect attacks,
not to block
attacks.
Moderate Effort: some difficulty
in filter inventory navigation,
segment application, and/or policy TippingPoint’s customers were
enforcement activation that led more confident in their IPS
to more time consumed than purchase and they consistently
expected for this effort ranked TippingPoint at the top
– often by large margins – on each
and every key IPS performance
Significant Effort: help required and manageability measure. Figure
from vendor technical or sales 8 summarizes these results.
support to accomplish filter
inventory navigation, segment
application, and/or policy TippingPoint’s customers display
enforcement activation. more loyalty for repeat IPS
purchases than other competitor’s
customers. In fact, the Infonetics
As shown in Figure 7, 66 percent IPS customer survey shows that
of TippingPoint customers 62 percent of TippingPoint’s IPS
reported that a “light effort” was customers with intentions to
required to configure IPS filters. purchase additional IPS products
Comparatively, 22 percent of will “definitely stay with their
IBM-ISS customers, 15 percent existing IPS vendor” without even
of McAfee customers and only reviewing competitive offerings.
14 percent of Cisco customers
reported that filter configuration
required a “light effort.” Summary
TippingPoint was founded
specifically to design and build
Real World Wrap Up
an IPS from inception to address
The benefits of intrusion the requirements outlined in
prevention have been obvious this paper. When TippingPoint
since a leading industry analyst was formed in 2001, intrusion
indicated that “Intrusion Prevention detection systems (IDS) were
Will Replace Intrusion Detection” widely available. The companies
in August 2003. However, the that provided those IDS solutions
Infonetics IPS customer survey

7
 White Paper: Real World Intrusion Prevention (IPS)

informational alerting (IDS). Once

Figure 8: IPS Survey Summary the majority of the malicious
In Band Blocking TippingPoint Cisco IBM ISS McAfee Sourcefire and unwanted traffic has been
1. In-Band IPS Deployments 1 2 3 4 5
2. Reasons Preventing IPS Deployments 1 2 3 4 5 removed from the network
3. Filters in Block Mode 1 4 3 5 2 through IPS automation, highly
Filter Effectiveness
1. Number of Attacks Blocked 1 5 4 3 2 valued security personnel become
2. Timeliness of Filter Updates 1 3 4 5 2 far more productive – as they can
3. Zero-Day Threat Coverage 1 3 4 2 5
Ease of Use focus their energy and effort on
1. IPS Turn-Up Time 1 2 5 3 4 unusual network and application
2. Ease of IPS Configuration 1 4 2 3 5
activity.
Source: Infonetics Research IPS Survey - August 2008
TippingPoint IPS’s are built to be
Customers rank TippingPoint highest in every main category deployed in-band, and customer
feedback shows that TippingPoint
are still around today, continuing to products are trusted in-band,
sell IDS. These vendors continue with large numbers of filters
to preach how dangerous it is automatically set to block straight
to go in-band and automatically from the factory. Tens of thousands
block malicious traffic simply of TippingPoint IPS’s are currently
because their products are not deployed across Fortune 1000,
– and never were – designed to Global 3000, small to medium
be implemented as an IPS. But enterprises (SME), and even some
the market has spoken. ‘Detect small to medium businesses
and alert’ is no longer the game (SMB) – and across every key
– unless there is an enormous industry vertical. TippingPoint
security budget to hire expensive automatically blocks damaging
staff to sift through mountains of attacks in a cost effective manner,
alerts and hope that ‘after the fact’ significantly reducing the cost
corrective action will somehow and complexity of highly effective
appease government compliance network security.
agencies and/or personal privacy
breach lawyers. An investment in a TippingPoint
IPS is one of the best security
It is not that IDS is inherently expenditures an organization
bad – there are legitimate uses can make. TippingPoint’s product
of detection and human analysis. evaluation program provides a
But security budgets must be TippingPoint IPS for evaluation. IT
spent with an eye toward getting executives, network engineers,
the ‘biggest bang for the buck’. and security analysts can see first-
Security dollars are far better hand why TippingPoint can provide
spent first on network security your company with cost-effective
automation (IPS) rather than business assurance.

1
While Sourcefire customers were included in the Infonetics survey, only a small number of Sourcefire
customers responded to the survey. Therefore, the Sourcefire results are based on a small number (< 30) of
customer responses.

Corporate Headquarters: European Headquarters: Asia Pacific Headquarters:

7501B North Capital of Texas Hwy. Herengracht 466, 2nd Floor 47 Scotts Road
Austin, Texas 78731 USA 1017 CA Amsterdam #11-03 Goldbell Towers
+1 512 681 8000 The Netherlands Singapore 228233
+1 888 TRUE IPS +31 20 521 0450 +65 6213 5999

Copyright © 3Com Corporation. TippingPoint and Digital Vaccine are registered trademarks of 3Com Corporation or its subsidiaries. All other company and product names may be trademarks of their www.tippingpoint.com
respective holders. While every effort is made to ensure the information given is accurate, 3Com does not accept liability for any errors which may arise. Specifications and other information in this
document may be subject to change without notice. 503201-001 11/08