The evolution of IPS  
Check Point Software Technologies
28/09/2009

According to Check Point Software Technologies, IPS strategy is moving toward a software layer integrated into a company’s existing gateway infrastructure and managed by a general security team.

In the past, Intrusion Prevention (Protection) Systems (IPS) was comprised of a dedicated physical layer with dedicated teams protecting a network from intrusion and attack. Today, the IPS strategy is moving toward a software layer integrated into a company’s existing gateway infrastructure and managed by a general security team.

Given that IPS has become a fundamental component of ‘due care’ in IT security, the evolution of IPS provides organisations with viable, and in many cases better, deployment options.

Generally speaking, IPS detects and blocks attacks and threats aimed at data and network resources. IPS functionality can be deployed in two key variants: standalone (or dedicated) and integrated.

Historically, at least until recently, the most common method for deploying IPS has been on standalone appliances. While there were good reasons for this approach, a strong case is developing for deploying IPS as integrated functionality within existing security enforcement points.

For years, IPS functionality fell under the jurisdiction of a group or department different than the group responsible for existing core security enforcement points. Firewalls and VPNs were managed by network administrators, while IPS was managed by separate security functions or new technology groups.

Today, in most organisations, areas related to network and data security now fall under a consolidated “network security” group within the organisation. The group responsible for IPS technology is the same group responsible for major network security enforcement points like firewalls.

As IPS technology has matured, functionality has been added to core network security gateways such as firewalls. However, all IPS’s (be they standalone or integrated) are not created equal, so an organisation considering IPS deployment must carefully examine each vendor’s protection arsenal and history of protections to determine if they meet the organisation’s needs.

Performance is still an important criterion that must be evaluated. Different vendor solutions have difference performance characteristics, which may or may not be adequate for an organisation’s particular needs.

However, an integrated IPS solution with multi-gigabit threat coverage does exist, so performance should no longer be a barrier to choosing and deploying an integrated IPS solution.

Benefits of integrated IPS
According to many industry analysts, recent IPS deployment trends show a steep increase in the use of integrated IPS. Many of these analysts state that integrating IPS into the firewall is an accelerating trend. Benefits of integrated IPS include:

Reduced cost - Purchasing and deploying multiple security appliances is typically more costly than deploying an integrated solution, which makes integrated IPS cheaper. Some of the cost savings include direct expenses like equipment purchase, and indirect expenses like training and ongoing management. Consolidation also provides incremental savings of rack space, cabling, cooling and power.

Reduced latency - IPS and firewall functionality both deal with securing traffic and data flowing through Internet, intranet and extranet environments. Since the firewall already inspects all traffic dealing with its part of the network, it is a logical point for IPS inspection. Well-designed integrated solutions actually inspect traffic only once for both functions, thus minimising the impact caused by inspecting the traffic twice (which happens in typical standalone IPS deployments).

Cohesive security policy - Having multiple components for any enforcement solution increases the complexity of the policies and rules. It also multiplies potential points of failure. An integrated solution drives a single, cohesive security policy.

Common management and training - Multiple solutions from various vendors require more complex management and staff training. An integrated solution reduces not only the expense associated with management and training, but also reduces errors and oversights.

Easier IPS Deployment - Since firewalls are already deployed throughout a modern integrated network, adding IPS functionality to firewalls is financially and organisationally easier than purchasing and installing additional devices.

While integrated IPS likely will undergo rapid adoption over the next several years, some scenarios for standalone IPS deployments remain. Standalone IPS is best suited for use in portions of the network where firewalls are not deployed; traffic flowing between certain parts of the network may not go through a firewall enforcement point, so deploying a standalone IPS device in that portion of the network may be desired.

Additionally, if IPS and firewall functionality are handled by different network security groups, practical reasons can justify deploying standalone IPS even if an integrated solution is hypothetically more appropriate.

Whichever solution works for your network, organisations must carefully com¬pare IPS solutions from competing vendors to ensure that they are getting the desired level of security and performance.

- Adapted from Check Point Software Technologies white paper on the "Evolution of Intrusion Prevention Systems (IPS)”.

advertisement