Ten Best Practices for Enterprise Intrusion Prevention

by Lou Ryan

IT and network security managers face many challenges in securing their organization's critical servers from attack. Lack of dedicated security resources and the increased sophistication of attack methods are among their top headaches. Although intrusion detection systems (IDS) have been a popular solution for enterprises in the past, it is not enough to block the evolving attacks in cyber-space today. One of the main issues with IDS is that they do nothing to proactively stop intrusions before attacks occur. Also, many IDS are signature-based, so they don't detect new attacks or variations on old attacks, nor do they detect attacks in encrypted traffic such as HTTP over SSL (Secure Sockets Layer).

What's the alternative? Intrusion prevention is the next logical step in enterprise security. Intrusion prevention systems take IDS to the next level by going beyond just detecting, to actually stopping attacks before they cause damage. The difference between the two technologies is one enterprise executives are all too familiar with: Intrusion prevention blocked Code Red, Nimda, and SQL Slammer, while IDS users spent millions cleaning up after each of these.

What Is An Intrusion Prevention Solution?
There are many products and tools on the market today that use the "prevention" moniker. The right intrusion prevention solution includes enabling you to circumvent the need for analysis to be done before action can be taken to protect the system. In addition, it prevents attacks from doing damage to your operating system, applications and data. By using a system to proactively prevent attacks, there is no gap between the attack being detected, identifying it as an attack, and finally doing something to prevent it. In addition, intrusion prevention helps enterprises get better control of the costly and time-consuming process of installing software patches to plug vulnerabilities in operating systems and applications and to fend off attacks like worms and buffer overflows.

How do you choose the right type of solution for your organization? This checklist should serve as the building blocks to choosing the right enterprise intrusion prevention solution for your organization.

Table 1. Intrusion Prevention Checklist
Proactive, real-time prevention of attacksThe right solution should provide real-time prevention and analysis of attacks. It should identify the attack and prevent access to critical server resources before any unauthorized activity occurs.
Patch latency reliefPatch management is a complex process. Between the time a patch is developed and deployed, a smart hacker could compromise servers and critical data. A good intrusion prevention solution gives system administrators the protection needed during patch latency and ample time to test and deploy patches.
Protection for each critical serverServers, where the most sensitive enterprise data resides, are on the hit list for most hackers. It is vital to have an intrusion prevention solution that is tailored for server protection. Too many solutions on the market today try to be the "ultimate" protection, by using the same mousetrap for servers and desktops. The result is thin technology that does not adequately protect sensitive systems and data.
Signatures and behavioral rulesThe most effective method for identifying intrusions is a hybrid approach that combines the strengths of attack-specific signatures and behavioral rules. This hybrid approach avoids the fundamental trade-off by providing coverage to both known and unknown attacks and at the same time keep the false-positive rate to a minimum. One technology can't take the place of the other: Behavioral rules allow the servers to be protected from new and previously unknown attacks. However, the coverage of behavioral systems is limited, many attacks aren't covered, and behavioral systems generate more false positives. For full forensics capability, the signature is critical in identifying attacks, so security managers can know what sort of attack is being directed at their systems.
LayersStrong security is founded on the concept of defense in depth: having several layers of protection. Redundant mechanisms should co-exist so that even if one hurdle is bypassed, there are always other barriers to cross.
Heterogeneous environment protectionOrganizations using mixed computing environments need to be sure that the intrusion prevention they choose will be consistent across all their critical servers. It should also enable consistent, reliable cross-platform protection.
ManageableThe ideal intrusion prevention solution will allow security configurations and policies too be easily be leveraged across applications, user groups and agents to decrease the cost of installing and maintaining large security deployments.
ScalableAn enterprise-class intrusion prevention solution must scale to meet the needs of the extended enterprise while maintaining the highest levels of security. Scalability comes in the form of supporting large numbers of protected servers, supporting large amounts of event traffic, and supporting distributed security management to meet the needs of large, distributed organizations.
Low total cost of ownershipIdeally, the system you invest in should decrease costs associated with monitoring and managing total server security. Make sure that the system you are evaluating can show metrics around reducing man-hours spent on clean-up, patching, monitoring, etc.
Proven prevention technologyBeware of solutions that use the word, prevention,but are really detection-based products or desktop solutions in new packaging. It is important to investigate that the solution has been thoroughly tested, deployed, and continuously maintained, in an environment similar to your own. Read case studies, ask questions, and compare.
Strong corporate security policyAll businesses need a detailed and enforced corporate security policy.

You'll notice that there are actually eleven best practices on this list. Intrusion prevention is not a one-time implementation of point products, but a continuous evolving process. All businesses need a detailed and enforced corporate security policy. A security policy defines which "users" have access rights to which enterprise resources. Make sure the policy takes into consideration users within the enterprise as well as outside users including partners, customers, and remote employees accessing corporate resources.


About the Author
Lou Ryan is President and CEO of Entercept Security Technologies.

Article © Copyright 2006 McAfee, Inc. Used by permission.