When POODLEs attack, IPS and NGFW are your first defense

At times of crises like POODLE, Heartbleed and Shellshock, a good network IPS often provides effective protection long before it's practical to have systems patched.

It's the same every time there's a major vulnerability announcement. Even if patches accompany the announcement, there is a period of time when users are vulnerable, and in a large organization you can't often just drop everything and patch systems.

Until your systems are patched there are mitigation steps you can take, but very often your best protection will come from your NGFW (Next-Geneation Firewall) and IPS (Intrusion Prevention System). These are network security systems sitting at the perimeter and at key points inside the network scanning traffic. Their tasks are very similar, but the NGFW looks at the lower levels of the protocol stack and the IPS looks well up into the application layers.

These products are signature driven, and when new attacks are announced it's not long before signatures are available. For instance, Cisco has already released signatures for their products to detect and block POODLE attacks. These same signatures are available for the free Snort IPS. Undoubtedly other network and host IPS systems also have or will soon have signatures.

The availability of IPS protection is not a reason to put off patching systems, but it's enough to allow you to do so carefully, systematically and not in a panic.

The same thing happened with Heartbleed: IPS signatures were available very quickly. But Shellshock is a textbook example of where an IPS shines. The main attack vector, i.e., the HTTP request, had very specific syntax, making a reliable signature quick and easy to develop.

One of the main rules of security is to establish defense-in-depth. You need to have many points in the network, in servers and clients, where attacks might be detected and blocked. Sitting at the perimeter, a network IPS and NGFW kept up to date are likely to be the busiest defense layers in an enterprise, and this demonstrates their value.