Solutions White Papers Case Studies Media Kit FAQ

FAQ

Welcome to our new service offered by Top Layer Networks. Your questions are important to us. We want you to fully understand intrusion prevention products and how they can help protect your network and its' applications. Our ultimate goal is to provide you with the knowledge to make more informed decisions regarding your intrusion prevention systems.

We encourage you to ask questions about network intrusion prevention to our dedicated team of security professionals. We will endeavor to answer those questions (using email); and when appropriate, we will include those answers on this page to assist other readers.

Please click here to ask your question. If your question is chosen to be posted to our website, you will receive a Top Layer T-shirt!

Questions & Answers on this page include:

1. What is network Intrusion Prevention?
2. Why do I need an Intrusion Prevention System (IPS) if I currently have a Firewall and an Intrusion Detection System (IDS)?
3. What is the Return on Investment for an Intrusion Prevention System (IPS)?
4. What are the essential characteristics of an IPS?
5. What trends do you see with recent cyber crime?
6. Why is performance so important when considering network protection?
7. Are zero day attacks just hype or should I really worry?
8. Many IPS Vendors rely heavily on Signatures to identify and block exploits, why is this not the best method?
9. Why should an IPS be Stateful?

1. Question: What is network Intrusion Prevention?
Answer: Intrusion Prevention Systems (IPS) automatically detect and block malicious network and application traffic, while allowing legitimate traffic to continue through to its destination. An IPS must operate inline with minimal impact on network latency and be scaleable to cope with the demands of a multi-gigabit network environment.

2. Question: Why do I need an Intrusion Prevention System (IPS) if I currently have a Firewall and an Intrusion Detection System (IDS)?
Answer: Most organizations still rely on 1990's security technology to defend against today's attacks. Reliance on firewalls for access control and Intrusion Detection Systems (IDS) for monitoring network traffic means that organizations are at HIGH RISK of a successful attack.

Firewalls are typically deployed at the network perimeter. However, many attacks can easily bypass the perimeter and many are launched, sometimes inadvertently, from within the organization. For example, consider the following situations:

• An employee who logs on to the corporate network with a laptop computer that became infected while using it at home.
  
• A consultant who downloads malware from their corporate network, while working at your facility and inadvertently spreads it onto your network.
  
• Remote users who log on using a virtual private network.

An IDS might be effective at detecting suspicious activity, but it does not provide adequate protection against attacks. Worm attacks, such as Slammer and Blaster, spread so rapidly that by the time an alert is generated, the damage has already been done.

To be effective, an intrusion prevention solution must be inline and able to automatically detect and block malicious packets within normal network traffic before the malicious payload causes any damage. This prevention must occur under extreme traffic loads and more importantly, good traffic must never be blocked, even while under an attack. Finally, the IPS device must operate with switch-like latency at all times.

Given these parameters for defining an effective intrusion prevention solution, it is simple to see why simply adding blocking capabilities to existing security infrastructure, such as firewalls and IDS, is not an effective intrusion prevention solution.

The concept of blocking malicious network traffic before it reaches its intended targets is simple. However, given the increasing sophistication of attacks and the sheer brut force, security managers need an IPS solution that can cope with these demands. The Top Layer IPS 5500 answers these complex challenges with a solution that is simple to deploy while providing the worlds first non-stop protection for any enterprise.

3. Question: What is the Return on Investment for an Intrusion Prevention System (IPS)?
Answer: Most of our customers who use the IPS 5500 to defend against network and application level attacks tell us that the payback from their IPS investment is rapid. Customers often cite the following reasons why the Top Layer IPS 5500 provides a rapid Return on Investment (ROI):

• Blocks attacks automatically, which allows the security team time to adequately test patches prior to deployment.
• Eliminates mission critical server downtime, thereby, maximizing revenue and maintaining high customer satisfaction.
• Blocks attacks which allows for increased bandwidth availability.
• Increases network performance by eliminating unwanted and malicious traffic.
• Reduces operating expenses incurred by maintaining and running older, ineffective security solutions.
• Allows legitimate transactions to continue to flow even in the face of the most brut force Denial of Service (DoS) attacks.
  

Many customers tell us that even one of these reasons can result in a 100% payback in a very short time. When combined, the business case for deploying the IPS 5500 to defend against network and application-based attacks is compelling and no other IPS solution can claim this level of ROI.

4. What are the essential characteristics of an IPS?
Answer: For an IPS to provide effective non-stop protection against network and application-level attacks, the following aspects of a solution must be addressed:

• Block known and unknown (including zero-day) attacks.
• Never block legitimate traffic even when under attack.
• Since it operates inline, it must be a resilient hardware solution that will not be a single point of network failure.
• Not reliant on signatures as the primary form of defense (a method adopted by IPS products that spawned from IDS technologies that are susceptible to false positives).
• Not add any discernable latency under extreme load or attack, since this will negatively impact business users.
• Rapid configuration for immediate protection with minimal ongoing operational maintenance.
• Access to a centralized management solution that has meaningful reporting capabilities.
• Must be NSS approved.
• Cost effective solution, particularly in the case of a solution requiring multiple IPS devices with different throughput requirements (for example, a 2 gigabit requirement at the core and a 200 mb at a remote location).
• As network capacity and performance increases over time, the IPS solution must be scaleable inline with those requirements.
• Cope with new advanced types of security threats in the future, for example security threats associated with the complex XML protocol.
• Provide relevant data for forensic analysis purposes and alert reporting.
• Provide protection in complex network topologies such as asymmetrical networks.
• Offer fine-grained granularity to decide what type of malicious traffic is to be blocked (for instance Web servers and email servers need to be configured differently).
• Combine rate-based and content-based protection on one device.
• Post sales support to provide updates on newly discovered vulnerabilities and advice (signatures, patches or configuration updates) on how to protect against the exploits.
  

5. Question: What trends do you see with recent cyber crime?
Answer: Malware and regulations continue to be top-of-mind issues for CSO's and CIO's when it comes to network and application security. Much of this concern stems from the growing sophistication of cyber attacks and the multitude of ways they are being launched. There are so many entry points on today's network, whether its email, FTP, Web services or wireless, that today's security defenses need to be more comprehensive than ever before.

The heavy focus on operational and tactical issues by CSO's and CIO's comes amid a growing realization for the need of security managers to take a more strategic focus, in other words, you cannot separate the operation issues from the business issues. Maintaining secure business operations means the security manager needs to proactively address the key network and application threats for an organization before they happen. One thing is certain, at some point, every organization will be the target of an attack. Only those organizations that address the threat now will be ready to tackle it when it occurs. The difficulty is that these threats take many forms:

Amid this growing number of potential pain points is the fact that the attacks are becoming more sophisticated and the sheer brut force with which they are launched is increasing. Over-provisioning with more servers and more bandwidth is not enough to defend against today's attacks. Current network intrusion prevention solutions provide the answer for enterprises to defend against known and unknown attacks while allowing legitimate business transactions to continue to flow to their destination.

6. Question: Why is performance so important when considering network protection?
Answer: Performance is critical for an inline IPS. The key performance aspects for an inline IPS are latency, throughput, DDoS rejection rates, operation load, and scalability. The IPS 5500 delivers industry-leading performance across all of these key attributes and in many cases; the IPS 5500 operates at three to fives times the performance levels offered by competitive products.

• Lowest Latency Of Any IPS Device - The IPS 5500 is the first IPS to seamlessly integrate multiple protection mechanisms on a distributed ASIC platform. The resulting latency measuring below 50 microseconds when protection mechanisms are enabled.
• Scaleable Performance and Capacity - The IPS 5500 ProtectionCluster™ provides the highest level of performance by using unique load sharing mechanisms. The ProtectionCluster™ provides a scaleable solution that not only increases capacity, but also provides better protection through advanced state sharing and awareness.
• Outstanding Throughput - It is very difficult for any security administrator to be able to characterize the traffic on their network with a high degree of accuracy. What is the average bandwidth? What are the peaks? Is the traffic mainly one protocol or a mix? What is the average packet size and level of new connections established every second? The IPS 5500 has been designed to eliminate these concerns by being able to operate in the most demanding networks with throughput of 8.8 Gbps with the ProtectionCluster.
• Industry Leading DDoS Rejection Rates - Today, DDoS attacks can be launched simultaneously from computer armies of 35,000 compromised machines, delivering seemingly harmless legitimate traffic at rates approximating a gigabit per second. Today, attackers target e-commerce sites, email servers, DNS servers, and VoIP providers to prevent legitimate transactions or data from reaching the desired target. Only the most advanced DDoS capabilities, designed in hardware, can stop these attacks while allowing legitimate traffic to continue to flow to the intended destination. Top Layer has been at the leading edge of stopping high volume DDoS attacks for many years. The IPS 5500 incorporates this technology in all of its IPS products and allows customers to combine traditional IPS protection features with full DDoS protection.
• Performance When Under Load - This is the one performance metric missing from most vendors datasheets. As a result of the tight integration of the protection mechanisms with the hardware architecture, datasheet performance for the IPS 5500 is what you can expect when deployed in live networks (with small packets), even while under attack.

7. Question: Are zero day attacks just hype or should I be really worried?
Answer: Zero-day exploits occur when an exploit for vulnerability is created before, or on the same day that a vulnerability becomes known to the world at large. IT organizations are constantly fighting to keep their systems patched and updated, but the reality is it takes time to adequately test a patch against all applications running on the servers. This leaves organizations exposed to the narrowing of the time between discovering a vulnerability and the time an exploit is launched. As such, an attacker can effectively compromise unprotected servers at will.

8. Question: Many IPS vendors rely heavily on signatures to identify and block exploits, why is this not the best method?
Answer: Signatures, or pattern matching is one of a number of methods that are used in an IPS to detect and block exploits of vulnerabilities. However, if used as the primary protection mechanism, you will face limitations in what will be successfully blocked. Signatures are notorious for generating false positives, which means that on their own, legitimate traffic will be blocked. In addition, attackers have found ways around pattern matching methods by making relatively small changes to the attack code that renders the detection useless; and therefore, not successfully blocked by the IPS. Another trick commonly used is to send packets out of order or through asymmetrical traffic routes. Unless the IPS has a packet reorder engine and is fully Stateful, the attack will never be recognized and will simply pass through to the ultimate target. It is therefore important to have multiple protection mechanisms all working simultaneously.

In the case of the IPS 5500, the IPS inspects 100% of the packets and integrates many protection mechanisms, including its Deep Packet Inspection and Stateful Analysis Engines to understand an application's behavior and usage across the entire session. The reordered packets that comprise a transmission are inspected to establish whether it is legitimate or malicious. If deemed malicious, the entire packet stream is discarded before reaching its intended target.

9. Question: Why should an IPS be Stateful?
Answer: Every operating system implementation has security leaks that are known to hackers throughout the world. In the 1990's, Stateful Inspection became the industry standard for network security solutions to address malicious attacker behavior including protection against Denial of Service attacks. An IPS should also incorporate "always on" Stateful Inspection as a key feature to allow continuous monitoring of packets. As well as examining header information, Stateful Inspection means the contents of a packet (up through the application layer) can be examined to determine more context about the packet beyond its source and destination information. In addition, Stateful Inspection monitors the state of a connection and compiles historic information in a state table. As a result, dynamic filtering decisions can be expanded beyond administrator-defined rules that simply block known IP addresses or TCP ports (as in static packet filtering) to take into account the context of a packet that has been established by packets that previously passed through the IPS.

It is well known that many "IDS-based" IPS systems are capable of some Stateful inspection while operating in an offline IDS mode. IDS-based IPS's were spawned from the Intrusion Detection System vendors that had their roots firmly planted in their ability to alert, report, and correlate attacks. The concept of taking these offline devices and putting them inline and allowing them to block attacks based primarily on signature or pattern-matching techniques was quite logical. In fact, most of these vendors utilize a form of Stateful Inspection to complete simple pattern matching (also known as, signature matching) on packets to establish whether the packet contains a known exploit. As a result, these IPS vendors will claim that their products have Stateful inspection capabilities. However, as soon as these IPS products are deployed inline to perform proactive blocking rather than simple offline detection, many of these devices lose their Stateful inspection capabilities and simply inspect packets coming in, without maintaining full context across the session. Typically, if these devices try to maintain an "always on" state, the performance and latency decline dramatically.

In some cases, an IPS device may turn on Stateful inspection as soon as it detects an attack so that the device can more closely monitor packet flows and relevant context on future transmissions. This is typically a short-term burst of increased protection that, after a while, reverts back to the stateless mode. The advantage this provides to those IPS vendors is that they are able to quote much higher performance numbers in their data sheets based on passing legitimate traffic through the device without performing Stateful inspection. As previously stated, the moment these devices go into Stateful mode, their performance drops off dramatically and there is a high risk that legitimate packets will be dropped and then, the IPS device becomes a performance bottleneck in the network.

Having an IPS that is sometimes Stateful and sometimes not, creates a real challenge to network security managers. For instance, new hybrid attacks that split the malicious code across multiple packets are more likely to be missed by this type of IPS. Another problem is with asymmetrical network topologies where packets can come and go out on different network segments. If the IPS is not maintaining state for all transactions, it is again highly likely that attacks will not be identified and will be able to continue on their way to deliver their payload to their destination.

To get around the challenge of performance bottlenecks when Stateful inspection is enabled at all times, an IPS vendor must invest heavily in developing ASIC chip sets that are seamlessly integrated together to reduce latency concerns while passing traffic under load or attack. Only the most advanced hardware architecture allows for excellent protection at all times with no degradation in performance.

2400 Computer Drive, Westboro, MA 01581 Phone: (508)-870-1300 ©1999-2008 Top Layer Networks. All Rights Reserved.

View testimonials for Intrusion Prevention