Marking a trend in which large security players are among the last to the party, Internet Security Systems released the first of its new Proventia G Series intrusion-prevention appliances this week, promising proactive protection and ease of use.
Atlanta-based ISS said the G200 — the first device in its intrusion-prevention line, which is expected to grow later this year — employs “multiple blocking techniques” to correctly handle both legitimate network traffic and Internet ills such as worms, Trojans and denial-of-service (DoS) attacks.
Forrester research director Michael Rasmussen said ISS and fellow security heavyweight Check Point are doing some catching up with intrusion prevention — an evolution of intrusion detection that involves actively blocking perceived threats to a network.
Rasmussen, who described intrusion prevention as a blurring of detection and firewall capabilities, told TechNewsWorld that while almost all network security vendors are taking detection to the point of prevention, real-world use keeps the newer technology in detection mode because customers are wary of its effects.
ISS said its Proventia G Series, backed by its X-Force Security Intelligence team, uses a mix of seven response techniques to address individual threats appropriately. By blocking potential attacks involving newly disclosed vulnerabilities, the appliances can protect during the critical time between release of a threat and availability of a patch, ISS said.
ISS senior vice president of worldwide marketing Pete Privateer told TechNewsWorld that the G series (intended for deployment inside the network) and the existing M series (created for edge deployment) both represent an attractive alternative to the difficult task of timely patching.
“Once we are aware of a vulnerability, the appliance updates itself and watches for anything that tries to exploit that vulnerability and blocks it,” Privateer said, adding that a key to intrusion prevention is matching the appropriate response to the threat.
Privateer criticized early implementations of intrusion prevention, including Symantec’s ManHunter, for blanketing all threats with one or two responses, which included issuance of an automated system reboot that likely would interrupt other traffic and applications.
ISS said its G Series appliances can operate in three modes: active for preventive blocking; passive for detection; and simulation, in which the machine reports what it would have blocked to give customers a view of what happens before activating prevention mode.
The network security company joins a crowd of security vendors, including Check Point, NetScreen, Network Associates, Tipping Point and others that are putting prevention into their appliances, according to Rasmussen.
He noted that while ISS and Check Point historically have coexisted peacefully, the two prevention latecomers now are going head to head when it comes to the firewall aspects of intrusion prevention.
A Matter of Trust
While most vendors — whether they are all-in-one or more specialized — are offering technologically solid protection in the form of intrusion prevention, users are still unsure about the technology, perhaps scared off by overfiltering and performance issues that have arisen in the past.
Rasmussen said companies are balking at the proposition of putting one security layer after another in front of their business processes.
“The technology is growing. I just don’t see a lot of people comfortable with it,” he said. “In the real world, users are barely touching intrusion prevention capabilities until they muster up some confidence in it.”
He added that as more inspection is done, more overhead and processing is required.
Rasmussen expressed some concern about ISS’ “standard Intel platform” and said other security vendors, such as NetScreen, are building intrusion prevention more deeply into hardware through Application Specific Integrated Circuits — specialized chips most commonly called ASICs.
“This whole space is moving more and more to hardware,” Rasmussen said. “If vendors don’t have a plan for ASICs and networking hardware, they need to get one.”
Privateer took exception to the idea that the Intel platform of the ISS appliances could be less efficient or effective than an ASIC approach.
Claiming consistent performance wins with standard Intel hardware over ASIC, Privateer denied that ASIC hardware improves performance and argued that hardware is not flexible enough to take on the ever-changing threats from cyber attackers.
“It’s not something that you burn into silicon,” he said. “How’s that going to be flexible?”