DVLabs, ZDI, and Rep DV help HP TippingPoint offer bleeding-edge protection
As the threat landscape evolved, Network Intrusion Detection and Prevention Systems (NIDS / NIPS) became an enterprise best practice to spot and automatically block attacks. In this edition of Enterprise Networking Planet's NIPS buyer's guide, we examine the capabilities and features offered by HP TippingPoint, the company that founded the popular and somewhat controversial Zero Day Initiative (ZDI) program.
Keeping up with emerging threats
TippingPoint founded ZDI back in 2005 to leverage the collective power of security researchers by paying those who reported new threats. Although TippingPoint has its own internal research arm -- DVLabs -- the ZDI program was intended to greatly expand the pool of resources used to discover vulnerabilities, give those who do financial incentive to report them responsibly, and help TippingPoint protect its NIPS customers until affected vendors release security patches.
According to Michael Callahan, Director of Worldwide Marketing at HP TippingPoint, about 1,500 researchers around world are involved in ZDI, managed out of TippingPoint's labs. "When we started to pay researchers for discovering security vulnerabilities, it was controversial at the time - but in hindsight it was innovative. Last year, this very successful program discovered 319 new vulnerabilities."
TippingPoint benefits by expanding its own IPS filters to stop attackers from exploiting discovered vulnerabilities But the end goal is to notify product vendors of vulnerabilities, giving them an opportunity to issue security patches before real-world damage can be done. But TippingPoint found that some vendors were not issuing patches very quickly.
To encourage a broader community to fix vulnerabilities faster, TippingPoint instituted a 6 month time frame to fix, after which it now publicly discloses vulnerabilities. Of the 190 vulnerabilities that were open when this was announced last August, just 20 (10 percent) were still unresolved this February, six months later.
"Previously, we kept undisclosed vulnerabilities in our database as they continued to age - some were over 2 years old," said Callahan. "Now it looks like vendors are fixing things much faster, and six months should be long enough to develop and test a fix. The vulnerabilities that have been closed here are significant, with CVS scores in 8-10 range."
Using NIPS to close the gap
Callahan stressed that, during those six months, TippingPoint's own customers were protected by NIPS filters, developed by DVLabs. To deploy those filters on an intrusion detection and prevention platform, TippingPoint (acquired from 3Com by HP last year) sells a series of purpose-built, dedicated appliances known as the HP S IPS Series.
The entry-level HP S10 IPS delivers in-line protection at throughputs up to 20 Mbps while adding less than 600 microseconds of latency. At the opposite end of the line, the HP S330 IPS can handle rates up to 300 Mbps. In between sits the HP S110 IPS rated for 100 Mbps.
The S10 IPS can be used by a branch office or SMB, adjacent to a router/firewall -- scenarios where 20 Mbps IPS easily beats WAN data rates. The S110 and S330 would be used in scenarios that require more horsepower and perhaps high availability. Both can operate in two modes: Intrinsic High Availability and Stateful Network Redundancy, using Zero Power High Availability (ZPHA) to avoid blocking during loss of power.
For larger installations with more advanced security needs, TippingPoint now offers the HP S Intrusion Prevention System (IPS) N Series. These modular platforms are designed to facilitate the integration of new services, including new IPS filter packages, converged security services (e.g., reputation services, Digital Vaccine Services), and partner solutions. N Series models range from the S1400N (1.5 Gbps) to the S5100N (5 Gbps).
Finally, HP sells as TippingPoint S1200N IPS Module -- a blade that fits into the HP A7500 Series switch. This network-integrated form factor offers cost savings for customers that have HP switches, while delivering the same TippingPoint protection. Each blade handles up to 1.3 Gbps of inspected traffic; a single chassis can hold as many as 10 blades.
All HP TippingPoint IPS products can be managed through a single console using HP's Security Management System appliance. This platform supports centralized IPS signature update, policy definition, appliance configuration/maintenance, event monitoring, automated response, and reporting.
Customizing your NIPS
HP TippingPoint IPS products are supported by DVLabs threat updates, delivered and installed automatically by the Digital Vaccine service. DVLabs researchers constantly discover, track, and analyze new vulnerabilities and develop IPS filters to mitigate them.
But those filters don't always fully-address the risks facing every customer. "We create filters day-in day-out, but some customers (like the military) have applications that are proprietary," said Callahan. "Those customers need a way to protect themselves without depending on us."
"For example, on a trading floor, you might have proprietary trading apps and analytics. If your IT and ops people find vulnerabilities that need to be address[ed], you can't tell traders to take the next 4 hours off while you develop and patch the problem," said Callahan. "However, it's really important that when you're sitting in-line, you don't stop good traffic. If you're not skilled in creating filters, you could impact your network."
To meet this need, HP TippingPoint recently released a Digital Vaccine Toolkit. This toolkit uses wizards to let TippingPoint customers generate their own filters, in effect deploying "virtual patches" to protect themselves from vulnerability exploitation. Filters created by using the Digital Vaccine Toolkit can be applied directly to a single IPS or the SMS console can be used to quickly update all systems.
Moving beyond filters
In addition, HP TippingPoint now offers a Reputation Digital Vaccine Service (Rep DV). This service uses IPv4/IPv6 and DNS security intelligence feeds -- including Web threat intelligence sourced from ipTrust -- to maintain a global reputation database, updated every two hours. Rep DV lets customers create reputation-based policies that are then enforced by TippingPoint IPS products.
Finally, at RSA 2011, HP demonstrated its TippingPoint, ArcSight, and Fortify acquisitions, all working together to automate risk management. "Consider an online ticket supplier, where someone has decided to fill up shopping carts but never check out. Fortify notices that something is going on and polls ArcSight, which sees that many reservations are coming the same IP. TippingPoint can then block that IP address. We're now bringing these systems together to stop threats that traditional systems can't," said Callahan.
TippingPoint has a lengthy history in the network intrusion detection and prevention market. Acquisition by 3com and now HP will no doubt lead to TippingPoint integration in more network devices (like HP switches and firewalls). But, according to Callahan, one key advantage held by TippingPoint remains unchanged.
"Your IPS is only as good as the threat intelligence behind it," he said "There will always be new developments in terms of throughput and scanning capabilities, using state of the art chipsets. Many industry players will continue to move forward this way, including TippingPoint."
But Callahan DVLabs, the DVI program, and new services like Rep DV give TippingPoint unique advantages. "We knew about 319 threats that nobody else did last year. We were more often credited with discovering vulnerabilities in applications like Adobe. This kind of threat intelligence puts us in an excellent position for very fast turn-around: researchers notify us, we check it out, we notify vendors, and create a filter." By reducing time to mitigation, TippingPoint closes the window on potential exploits.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.