Wednesday, 24 September 2008

Vulnerability scanning and IPS

I had a recent (private) discussion with a leading security expert about the comparative benefits of intrusion protection systems versus, and in combination with, vulnerability scanning. He asked for my opinion and I wrote an essay. Here it is:


An intrusion prevention system (IPS) detects threats coming into or leaving a system - and blocks them. These threats will consist of code designed to exploit a vulnerable application or some more integral part of the operating system. Vulnerability scanning is a protection measure that searches for programs containing known security holes and either prompts the user to update these programs or helps to update them automatically or semi-automatically.

If a completely effective vulnerability scanner existed, which was able to patch all of the software on a user's system automatically, there would be no need for an IPS because there would be no vulnerable targets for an attack. However, sometimes an application will not have an update available that plugs its security hole(s). Vulnerability scanning on its own is not enough.

If a completely effective IPS existed, there would be no need for vulnerability scanning at all. If every exploit was denied access to the system at the start of an attack then it wouldn't really matter whether or not vulnerable applications existed on the system. The system as a whole would not be vulnerable. Of course, IPSes are not flawless and in practice some exploits will be able to enter the system. Reducing the number of vulnerable applications will reduce the risk of a compromise when the IPS misses an exploit.

The obligatory analogy

You could say that the difference between an IPS and a vulnerability scanner is comparable to the difference between having security guards on the doors of a building and running a regular security audit to locate weak locks, CCTV blind spots and other possible avenues of attack. You'll want the guards in place at all times, but carrying out occasional audits is still sensible - not least because you might one day discover that there is an unguarded door somewhere in the building.

But if you had to choose one or the other, you'd go for the guards every time.

The guards in the above analogy (where they represent an IPS) have to be able to recognise good and bad players accurately. The way a player tries to enter the guarded building may give a clue as to their intentions. A legitimate, authorised entrant will most likely use the front door and not a broken window in the back alley. The player's appearance, security credentials and maybe even the time of day that they choose to attempt entry will all count for or against them in the guard's eyes. An IPS may be able to determine the legitimacy of incoming packets using similar patterns.

Vulnerability scanning is more passive in this regard, but that's not always a bad thing. To further labour the building analogy, vulnerability scanning might result in that alley window being bricked up, blocking attempts to enter regardless of any ID held by the player. There aren't many reasons why the CEO would need to enter the building this way.

When a product scans for vulnerable applications, its actions may help tighten security. This will be true particularly if the user is helped to patch the vulnerable apps, rather than just being informed that problems exist. This would be like the security auditor coming equipped with new locks, CCTV cameras and bricks, rather than just writing a report that could sit unread in the COO's inbox for a month.

Permission to update?

Is there a danger of overloading the user with requests to update? The average customer is inundated with requests to make updates to modern applications and operating systems. Older software often lacks automatic updating features but is at least as likely to harbour vulnerabilities than newer programs. Prompts to update are generally very annoying, though. Both technical and non-technical users become irritated by requests to restart their PCs when they are trying to work or play.

There is a risk that vulnerability scanning, followed by a request for an update (or a request for a restart, following an automatic update), will add to the irritation. This state of affairs is more likely to annoy a user than an IPS alert, particularly if the alert is made silently to a log file. A successful security implementation that combines IPS and vulnerability scanning will have minimum impact on the user in terms of that user's interaction with the system.

A balancing act

As usual, defence in depth has got to be the safest course of action, but it might not be the best. Users' requirements and behaviour is a critical consideration with consumer products and the less they have to interact with security measures, the better. Vulnerability scanning on its own is not sufficient because not every product can be updated and, even when updates are available, not every user will install them. Constant requests to restart the system, due to automatic updates, will result in the vulnerability scanner being uninstalled.

Allowing an IPS to download new definitions automatically, so that it can detect new threats on the wire, has much less impact on the user. Because of this, an IPS stands a greater chance of success than a vulnerability scanner in the consumer space.