Even if the Intrusion Prevention System (IPS) market is smallish, it’s growing. The race is on to incorporate innovative more sophisticated technology that ensures integration with other security systems. Infonetics Research forecasts the money involved will hit just over $1.2 billion in 2014, up from $800 million a couple of years ago.
Results from one of their recent surveys show that businesses are not sure which IPS products they’re going to settle on. Among the options they are considering at the technology, product roadmap, security, management, value, cost, service, and support. Not to mention the financial stability of the vendor as well!
The Current Landscape
Traditionally a point solution, the common IPS approach to threat prevention is to simply sit in line and wait for threats to hit the network or section of the network it is protecting. The IPS security systems still use port and protocol as the initial traffic classification mechanism and do a reasonable job thwarting incoming attacks from standard protocols like POP3 and FTP. On the other hand, the bad news is that IPS solutions are famous for taking performance hits under fire. Performance and throughput tend to take a nose dive the higher the IPS quality.
Trying to manage a hodge-podge of disparate security solutions doesn’t make sense, and indeed in some organizations, is impossible to do from a centralized location. They can be a pain to deploy, manage and update, all adding up to an expensive and possibly mediocre security migraine. It only makes sense to move away from standalone solutions that don’t get along well to integrated security solutions that do, and that also have the chops to put down threats devised with new technologies.
NSS Labs conducted a lab test of several systems and discovered several key tidbits. According to the test report, security effectiveness varied widely between 31% and 98%, a spread of 67% among the participants. Performance had decreased in general between their 2009 and 2010 findings with only a few exceptions. On the bright side, evasion detection improved significantly from their last set of tests.
Network environments and the threats that invade them have become more sophisticated. Increasingly, threats are skulking around within evasive applications that dynamically hop or re-use ports, or emulate other applications, or tunnel inside SSL. These attacks against desktop client applications have hit the mainstream and are common place. They use applications like Skype, instant messaging, or Webmail and whiz by undetected and therefore un-inspected through older firewalls and threat detection solutions.
Attackers have refined their strategy and have upped the volume and intelligence their attacks. Just as an example, drive-by downloads have been combined with disciplined attacks like Operation Aurora and the Zeus botnet that targeted financial institutions.
The NSS Lab report warns that tuning the IPS is a “must,” not an option. IPS adds an average of 21% more protection. Who doesn’t want to catch every attack they can?
Next Generation IPS: Raising the Bar
A new, more bi-partisan, breed of IPS with technologies to combat the more pesky threats is emerging.
Looking for next generation IPS clout? Look for products integrated with scalable next generation UTM solutions with capabilities to:
- Inspect and identify application traffic traversing the network
- Have multiple 10-gig Ethernet interfaces
- Identify users, not just zone or IP address
- Write rules based on user, rather than simply zone or IP address
- Allow general web browsing while blocking specific applications
- Have great visibility tools
- Tune to high levels without increased level of false positives
At the end of the day, it pays to carefully research possibilities that map to current network needs. Look for solutions that are scalable, integrate well with the existing security platform, and have the technology to carry forward in the strategic plan.