How much would you pay for higher throughput in an IDS/IPS system to make sure it doesn't become a network bottleneck? According to a recent report by Frost & Sullivan, World Intrusion Detection and Intrusion Prevention Systems Markets, users of IDS/IPS are willing to pay three times as much for that assurance. But before you purchase an IDS/IPS, it's important to know the key features to look for in a system. For example, in addition to throughput, what are other essentials? And where is your money best spent?
A Priority
Robbie Higgins, vice president of security services at GlassHouse Technologies (www.glasshouse.com), says IDS/IPS should be part of any company's security environment, large or small. Higgins says today's network IPS sensors, for example, demand wire-speed performance. He notes, "his is the primary reason why throughput is such a concern, as no one wants inline security controls that negatively affect network performance.
Wade Williamson, product marketing manager at Palo Alto Networks (www.paloaltonetworks.com), says network attacks have steadily become increasingly more diverse, automated, and financially motivated, and it is the core responsibility of the IPS, in conjunction with the firewall, to protect the enterprise from these threats. Williamson adds, "An IPS provides continuously updated intelligence to protect an enterprise from the latest vulnerabilities and threats that can be borne over the network, making it one of the core components of an SME security strategy. In addition to the functional importance of IPS, these solutions can vary widely in terms of functionality as well as price, making it a particularly strategic decision for an SME with limited IT resources"
What To look For
Williamson says before making purchasing decisions, SMEs should actively evaluate an IPS that is integrated as part of a next-generation firewall. He explains, âNext-generation firewalls can detect and control the applications that are used to deliver threats across the network, and by limiting the access of applications to those apps that the business actually needs, SMEs can instantly reduce the exposure of their network to a fraction of what it is today.
As with any IPS decision, Williamson says, SMEs will want to closely research the types of threats the IPS can prevent. "Unlike a larger enterprise that may have separate point solutions for IPS, URL filtering, data filtering, malware prevention, and so on, an SME typically needs their IPS to cover the full spectrum of threat prevention in a single solution," he says. Additionally, SMEs should look for solutions that understand and control modern threat delivery vectors such as encrypted threats, threats in compressed traffic, and threats hidden in evasive applications, as just a few examples.
Tom Newton, product manager at SmoothWall (www.smoothwall.net), says before you purchase, look for good reporting. In some respects, the power of data collection provided by IDP (intrusion detection and prevention) is also its downfall. Producing vast swathes of logs is fine, but if you can't filter and morph this raw data into clear, succinct information--which can be used as a basis to draw conclusions from--it's useless, Newton explains. Whether it is confirmation that the traffic on your network is everything you expect it to be, or signs of malicious behavior requiring administrative remedy in the form of firewall rules, malware removal, and patching required, the raw data alone does not give much in the way of usable evidence for action.
Newton says another important feature to consider is a rule set that provides good protocol and traffic-type coverage. He elaborates, "At the heart of any IDP system is the rule set or signatures, comparable to how an antivirus application has signatures and pattern detection for recognizing malicious code and activity on disk and in memory."
Beyond Throughput
Signature quality remains one of the key features beyond throughput for most customers when it comes to key requirements. According to Higgins, organizations seeking best-of-breed protection will shortlist based on high protection quality, which includes signature quality, as well as capabilities for detecting and stopping new threats. He adds, "Smaller organizations facing different challenges due to tighter budgets and fewer resources will look for capabilities that provide basic protection and best-in-class signature quality; while important, these features might not be next on an organization's list, hence they will seek out the second tier of signature-quality products."
Ron Meyran, director of security products with Radware (www.radware.com), says a key point to consider is IPS accuracy, or in other words, the false-positive and false-negative rate. "This is not a direct measurable characteristic," Meyran notes, "but requires careful analysis of the technology an IPS relies on in conjunction with third-party reports."
Money Well Spent
Meyran says SMEs should focus their spending on outsourcing rather than on in-house IPS solutions. He comments, "Although obtaining an in-house IPS requires building expertise and human resources to manage and analyze the logs, as well as keeping best security practices, today, service providers offer managed security services that include IPS and DoS protection and thus can help companies manage these systems. This has an advantage of overall simplicity, scalability, and cost management. It only requires selecting the right partner to manage and protect your IT assets.
AAccording to Williamson, next-generation firewalls offer the core application visibility and control needed to reduce the attack surface, see all threats, and provide threat prevention that includes and goes beyond traditional IPS to include malware prevention, antivirus, file blocking, and URL filtering. "By rethinking network security and focusing on control of applications, users, and content," says Williamson, "next-generation firewalls provide a single box that is both cost-effective, while providing an unmatched level of protection from threats.He says other attempts at consolidation just collapse traditional network security functions into a single box, providing an inexpensive but ineffective solution.