IPS is not a product; IPS is a function and a technology. You can package that technology in many ways, and place that function within many kinds of devices--including standalone IPS appliances, inside of firewalls and switches, and in other types of security appliances, such as SSL VPNs. When you consider IPS for your network, your choice of form factor (appliance or integrated function), and where you will place the IPS function in your network will dramatically affect the products you should consider.
Unfortunately, it's not easy to divide IPS functionality strictly along the lines of form factor. While standalone IPS appliances offer a high level of IPS functionality, it doesn't mean that an IPS integrated into a firewall or switch always has a lower level of security, coverage, and performance. At the core of a network, standalone IPS products will probably be the most appropriate to meet performance requirements and keep topologies simple. But at the edge, IPS integrated into a firewall may be the best form factor choice.
Embedding an IPS in another device, such as a firewall, brings its own complication, because now you must evaluate the quality of each component. For example, an IPS with excellent capabilities integrated with a poor quality firewall is a poor compromise. In fact, the interest of high-end firewall manufacturers in bringing IPS technology and functionality to their customers means that a few firewalls have integrated IPS functions (usually delivered by adding hardware into a chassis-based system) that offer the same functionality as standalone devices. Even with mid-range firewalls, vendors have brought in sophisticated IPS functionality, usually focusing on protocol anomaly detection and a small set of signatures that may be sufficient for your requirements.
On the other hand, some firewalls have an "IPS function" which was placed into the device simply to satisfy a checklist requirement as part of a unified threat management (UTM) offering. In almost every case, these IPS features are based on some version of the Snort IDS engine, with the Snort signature set either included in full or trimmed up by the security vendor. Although Snort does a poor job as an IPS--it was designed as an IDS and its detection technology and operation is not optimized for intrusion prevention--this isn't the main reason why these embedded IPS functions in UTM firewalls should be avoided.
The real problem with embedded Snort-based IPS in UTM devices lays in system management. Because Snort currently has more than 6,000 detection rules (with an additional set of "Bleeding Snort" rules that are even more important in detecting recent attacks), the burden of deciding what traffic should be subject to the IPS, which rules should apply, and what the action should be taken, is an enormous prospect. More importantly, when the inevitable alerts--and especially false positives--occur, a typical Web-based interface isn't going to be up to the task of helping the security professionals figure out which signature was triggered and which needs to be disabled for which traffic. The result of this complexity is that the security professionals are never able to effectively configure the IPS to add security, while keeping the false positive rate at an acceptable level. The vast majority of UTM firewalls with Snort-based IPS functionality have the IPS disabled, as is appropriate.
Fortunately, not all firewall vendors have chosen to take the easy route and put in a poor IPS just to meet a specification. Once you've discarded the bad UTM firewalls, this still means that you have to make a decision: what is the form factor most appropriate for my requirement as outlined in the IPS needs statement? The three most common options are a basic IPS in a firewall, a full IPS co-located in a firewall chassis, or fully freestanding IPS.
- Basic IPS in a firewall, typically focusing on behavior and protocol anomalies, is an excellent choice if you have a good patch and security management policy in place on all internal servers, specifically those accessible from the Internet. In that case, the additional layer that an IPS offers on top of existing firewalls and well-maintained systems is some protection from day-zero attacks as well as denial-of-service attacks. Although no vendor can promise true day zero protection, basic behavior and protocol anomaly, as well as simple rate-based controls, add a huge amount of value in their capabilities to block common attack methods and protect servers against traffic overloads on top of a normal firewall.
- Full IPS in a firewall is the best strategy if your main concern is Internet-sourced attacks and, to some extent, identifying internal systems that have become infected or compromised. The benefits to network topology and operations costs of putting the IPS within the choke points of the network are great. They reduce the complexity of the network over the alternative of a standalone IPS sitting next to a firewall, which thereby increases reliability. At the same time, having a firewall and IPS co-located in the same system offers opportunities for management that standalone boxes cannot easily support. For example, the firewall could only send a subset of traffic through the IPS, speeding performance and eliminating the possibility of false positives in critical environments. Since the firewall rules and IPS rules are synchronized within the same system, the IPS can "know more" about the traffic and make better prevention decisions.
- Standalone IPS products are most appropriate in two environments. Most obvious is when the goal of the IPS is to protect a set of systems from both external and internal threats. By pushing the IPS closer to the systems being protected (rather than the Internet), the IPS protects against all attackers. The second environment where standalone IPS is appropriate is one where IPS and security auditing are organizationally divorced from firewall configuration. For example, in some organizations faced with regulatory compliance issues, IPS and IDS tools are managed by a separate audit group, one that is organizationally separate from the security operations team.
Joel Snyder is a senior partner at Opus One, an IT consulting firm specializing in security and messaging.
This was first published in August 2010