Get ready: Network-based intrusion prevention system (IPS) technology is due for an extreme makeover.
IPSes have been a source of frustration for many enterprises for some time because they stop only known threats and frequently generate false positives and false negatives. (See Top 10 Reasons Security Products Don't Work, IDS/IPS: Too Many Holes?, and IPS Evasion Equation.) Some organizations don't even bother using an IPS: Joseph Foran, director of information technology for FSW, runs intrusion detection system (IDS) tools but not IPS. "IPS is not a prime-time technology for us," Foran says.
Security researchers haven't been impressed with IPS technology, either. "I don't have a lot of confidence in an IPS, nor do I recommend it to my clients," says Sean Kelly, business technology consultant for Consilium1, which performs penetration tests for its clients. "You should get an IDS and feed [data to] a larger security event system. A lot of tuning is involved with that, but it would be invaluable to centralize that information and get the big picture."
Paul Morville, vice president of product management for IPS vendor Arbor Networks, says today's IPS technology will increasingly be folded into the service provider cloud, integrated into the network switch, and blended with related technologies, such as network access control (NAC).
Bottom line: The current IPS approach is outdated. Times have changed since the worm era of the early '00's, when IPS was first built. "It gave you a device to protect your vulnerable systems behind the network from SQL Slammer, Blaster, etc.," says Richard Stiennon, president of IT-Harvest. But major worm infestations aren't the problem any more: "The trouble is what we've really been doing for the last four years is vulnerability and patch management. The driver for IPS hasn't really been there."
But experts say IPS technology is due for a major overhaul. In some cases, the technology is being integrated into hardware and services; in other cases, it is evolving to offer new capabilities. The evolution of the IPS has already begun, they say.
Arbor Networks' Morville says service providers and managed security service providers meanwhile are already delivering firewall and IPS-based services, and that trend of blended security services will "accelerate" over the next few years. AT&T's firewall service, for example, includes IDS and IPS capabilities, he says.
Switches, too, are already coming with some IPS technology: Cisco, for instance, sells blades for its Catalyst switches with IPS functionality.
The switch-based IPS would be aimed more at small- to medium-sized organizations or small offices, security experts say. "It will slowly become a commodity as part of a standard switch offering," Morville says.
FSW's Foran likes the idea of IPS technology being integrated into network switches -- a combination that could lead to performance and memory advantages and better management capabilities. "We'd have fewer boxes to manage, and the interfaces would improve," he says.
What about the signature-based limitations of IPSes? IPS will also converge with anomaly detection and other features that expand its inspection capabilities beyond known threats, experts say.
Rate-based anomaly detection, such as spotting a traffic flood, makes sense at the perimeter, Morville says. And behavioral anomaly detection -- where you're looking for individual people or hosts acting outside the norm -- is best for the internal network, he says.
"High-end enterprises want IPSes that they aren't afraid to turn on. This means IPSes that are network- and host-aware, making them less prone to false positives and negatives," Morville says. They want IPS to throttle back traffic and quarantine it to a separate virtual LAN, rather than just drop it, he says.
Some experts envision IPSes deploying virtual machine technology -- as FireEye's does with its network access control (NAC) appliance --where virtual machines run copies of incoming traffic to see if it's legit, rather than just using signatures. "We have virtual machines inside our appliance all running copies of Windows -- they act like crash-test dummies," says Chad Harrington, vice president of marketing for FireEye, who points out that the appliances aren't inline like an IPS. "This is more accurate and doesn't give false alerts."
The trick with a beefed-up IPS is getting good performance, though: Hardware would have to catch up to make it viable, especially if virtual machine-based features are added, says John Pescatore, a vice president with Gartner.
And VM-based filtering would be limited to critical servers running specific applications, Arbor Networks' Morville says.
IPS and NAC technology are expected converge as well. FireEye, for instance, competes with major IPS vendors selling to the internal network, Harrington says. The two technologies will be integrated in the long term, within five years, with IPS technology being added to NAC appliances, he says. "The internal problem the NAC is trying to solve is harder," so it's easier for NAC devices to get IPS features than vice versa, he says.
For the time being, however, today's IPS technology isn't for everyone. Many enterprises are more concerned about control points on their network and NAC, IT-Harvest's Stiennon says, so an IPS sitting inside the network rather than behind the firewall would be more useful. "You can have a good security infrastructure today without doing IPS," he says.
FSW's Foran concurs. "I'm not as worried about the unknown as I am about the unknown laptops: Sales guy X comes in with an infection he doesn't know about, and I don't want that coming into my network," Foran says. "What happens if a user working from home has an unsecured computer? That's more apt to worry me than a brand-new piece of malware our scanners didn't pick up."
Kelly Jackson Higgins, Senior Editor, Dark Reading