The IPS Goes Virtual

Intrusion protection system (IPS) technology is gradually adapting to virtual computing, as IPS vendors add to their product lines actual virtual IPSes as well as IPSes that protect virtual machines.

Sourcefire's recent release of VMware-based virtual appliances was the latest arrival to the market of IPSes that work with virtual machines. IBM ISS also offers a virtual IPS, and TippingPoint has plans to roll out a virtual IPS offering as well.

What's driving the IPS to virtualization? A combination of trends in IPS evolution, including the convergence of IPS technology with other security functions (think firewalls and data leakage protection), the consolidation of data centers using virtualization technology, and compliance.

It's not so much that the IPS is changing in what it can do technology-wise, but more that it's changing in the type of environment it runs in, notes Matt Watchinski, senior director of Sourcefire's Vulnerability Research Team. "Most [IPS vendors] are making their software work in those [virtual] environments," he says. "The point is that we're taking that step forward to embracing virtualization."

Virtual IPSes are still a fairly new approach for IPS perimeter defenses. "The virtualization of these security appliances starts small, and most people are still dipping their toes in the water," Watchinski says. "You're not going to see massive deployments here [for now]."

That doesn't mean massive IPSes with mega-throughput are going anywhere. It's just that there's also a growing market for software-only IPSes that don't require speed as much as the flexibility of a virtual environment and more cost-effectiveness, experts say.

Dave Ostrowksi, product marketing manager at IBM ISS, says the biggest challenge for IPSes operating in a virtual environment is getting visibility into the traffic. IBM ISS had to write code to add the ability to see inbound packets at the hypervisor layer as well to determine when a server is compromised. "In a traditional IPS environment, we're a bump in the wire and had the ability to sniff packets and read and process them as they come in through our device," Ostrowski says.

IBM's Proventia Virtualized Network Security Platform is basically a virtualized version of the company's physical IPS appliance. Ostrowski says it's used mainly as a means of consolidating security functions or IPS hardware.

With its hypervisor protection in its new Virtual Server Security for VMware product, which is hosted in the hypervisor, IBM also had to write new code to execute IPS duties in the hypervisor. "We had to ensure that any vulnerabilities or attacks to the hypervisor were secured. We wrote code to protect the hypervisor," he says. And the product, which is basically a hybrid host IPS system, also supports the ability to provide zero-day protection when VMWare reports a known vulnerabilty, he says.

TippingPoint, meanwhile, has actually used virtualization within its new, modular N-Platform IPS architecture, which includes a virtualized implementation of its IPS on the physical IPS platform. "This positions us in the future to port that and extend it," says James Collinge, senior director of security product strategies for TippingPoint. "You can think of our actual platform containing virtual IPSes [of its own]."

Look for IPSes to continue to be combined with other security technologies, including firewalls, URL filters, and data leakage prevention tools, for instance. "In the next year or so, there will be continued convergence so users can get more for their dollar," IBM's Ostrowksi says. "Customers are pushing us currently to get more value from the points of presence they already have with their IPSes."

IBM ISS is also planning to add the ability to detect SQL injection and cross-site scripting attacks to its IPS. "We've seen a real influx of attacks on the most vulnerable points, Web servers, and databases," Ostrowski says. "So we've added over the last 12 months a lot of rich security content to address those threats."

IPSes ultimately are becoming more data and application protection systems, he says. IBM ISS also plans to expand its Web Protection System, which currently includes a basic IPS function.

Still, with the majority of attacks coming at the application layer or the end user layer, some experts still question the need for yet another network security device like the IPS when the firewall is so well-entrenched and reliable.

IPS vendors say that's why they are starting to expand their view to Layer 7 application protocols. But while the network perimeter is considered relatively locked down these days, the network is far from finished security-wise. The next frontier for attackers will be specialized networks, such as SCADA networks, as they join the Internet. "SCADA networks are the next network-level threat you'll see," TippingPoint's Collinge says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.