The IPS question

Having been burned before on complicated security projects and unfulfilled promises of other "silver bullet" security fixes such as PKI, IPS faces an enormous challenge to win over skeptical customers, says Lloyd Hession, chief security officer of New York-based Radianz, a financial services extranet. The complexity associated with deeper inspection and sitting directly in the line of traffic means an IPS solution can’t just be dropped in and plugged in, but must become yet another element in a potentially congested network.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

"The mantle has been passed to new IPS products, but the problem is the risk of these products, and the downside is they’re potentially dangerous because they are more complex and in-line," Hession explains. "Once you introduce into a production environment another single point of failure, a device that is no longer passive, then the reliability of your whole production environment is potentially impacted by that device that is in-line."

According to Hession, IPS has not had nearly the amount of time needed to "work out the kinks" and develop maturity -- but neither has IDS.

"The problem the [security] industry has at the moment is that these are not integrated enterprise solutions," he adds. "These are point solutions which are incremental, and have costs that CIOs [must face]. It’s a challenge. We can’t keep going down the path with point products."

IDS in the hot seat

Further muddying the IPS waters, Pescatore notes an alarming level of "snake oil" IPS solutions, in which IDS-oriented vendors adopt a new IPS identity that does not properly address IDS’ problems. For instance, he believes that reducing false alarms is critical but not at the expense of impeding legitimate traffic. This requires a security mixture of algorithms, signatures, stateful protocol analysis, behavior-based methodology, and correlation among other network areas – a mixture found more often in IPS solutions.

"What we think will happen, by the end of next year, [is that] IPS will really have impacted the firewall and IDS market," Pescatore remarks. "That’s when Cisco would swoop in, maybe a CheckPoint, but people like Nortel and F5 -- even Nokia -- will be going after this market by some real high-end, multigigabit products sold to carrier-class networks." In turn, he says IDS vendors must embrace the dawn of IPS and morph their offerings into firewall schemes; those who don’t accept IPS are living on borrowing time.

Hession also sees firewalls, IDS, and IPS as complimentary components of a security strategy; dropping IDS completely would be a bad idea without a great firewall in place, but the advantages of IPS mean IDS’ role in the enterprise will change.

"If [companies] go with IPS, is this a replacement for a firewall?  My answer is absolutely not," explains Hession. "Firewalls are tuned and built and designed to do type of filtering and screening and access control, IPS and IDS are not."

F5 already envisions itself becoming the control plane of IPS, allowing customers to block traffic while F5 partners serve as the interface to communicate with F5’s BIG-IP product and become the control plane of IPS, says Erik Giesa, senior director of product management at Seattle-based F5.

Meanwhile, Cisco has been much more aggressive about its IPS intentions, bolstered by the purchase of host-based IPS vendor Okena earlier this year. Other acquisitions also play into a vision of converged network and security services: The hardware maker’s purchase of Psionicis designed to reduce false positives and its scalability push is evidenced by its recent Catalyst IDS module announcement.

"Our customers have told us for some time that although they understand intrusion prevention, they don’t yet trust the technology to act autonomously and take actions for them to make the right decisions on good and bad traffic," explains John McFarland, manager of security appliances for the VPN and security business unit at San Jose, Calif.-based Cisco.

The benefits of IPS are clear, but its true test will be in living up to its promise in dealing with real-world security threats. IPS’ home for now is in stand-alone appliances and solutions, but the reactions of IDS vendors show that IPS’ future likely lies in an integrated solution, whether it be an IDS-IPS combination, a firewall, or another piece of infrastructure.

"What you’re asking of [IPS] technology is to sit in the network, make decisions, and affect packet flow, which are all functions of a network device," McFarland says. "[IPS] is not a one-trick pony game. It’s a comprehensive solution."