It is virtually impossible to detect (as most recently experienced by Sony and RSA) legitimate files that are encrypted in transmission and launched when the file is opened. An e-mail with an attached pdf or spreadsheet that looks legitimate can launch code as it is opened. The applications have to be patched to prevent this happening, which necessitates constant updates to MS Windows, Office, Java, Adobe and many other applications. Making sure every device that connects to the network is patched is a major task. Vulnerability scanners can ease the task but often just add to it by assuming vulnerability on such a scale that the data is impossible to manage.
It is better to stop the attack at entry point rather than look for where it may finish up. Good intrusion detection system (IDS) technology works at the entry to a network to analyse the risk of a given data stream - no matter what it carries at the time it arrives at the network from external sources. The devices need regular updating for code, signatures and configuration.
Risk versus cost
The ability to balance what is being checked against the throughput is a real need that equates to risk versus cost. Just because an intrusion prevention system (IPS) can be costly does not make it superior to other technologies - any device needs expert configuration and constant audit to ensure that malicious traffic really is being stopped.
The reliance on IT to manage our business data and do business with other companies across the globe as well as the rapid development of the Internet have created a new risk element. Indeed, this new type of risk can be considered more likely to happen than historical risk incidents such as fire and flood.
Modern network appliances are required to handle data throughputs of 10 Gbps - or clusters of 10 Gbps data streams. This will result in both an increase in the number of companies attaining these throughputs and those already at these levels needing even more in the future. We must therefore start raising the effectiveness of the IDS/IPS platform itself.
There has to be a distinction between firewall and IDS/IPS functionality. While in equipment from some vendors, the functions of both are blurred, in general, the firewall is there to reject certain types of traffic and control which traffic can flow in which direction and from what connections.
The rejection of certain data types from certain sources and the filtering out of suspect data that cannot be automatically detected as good or bad will reduce the volume of data being inspected.
Very large volumes of data can be split with the aid of load balancing, with each load having its own intrusion system.
Sign up for Computerworld eNewsletters.