This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
IPS is not a product; IPS is a function and a technology. You can package that technology in many ways and place that function within many kinds of devices, including standalone IPS appliances, firewalls and switches, and other types of security appliances, such as SSL VPNs. Your choice of form factor (appliance or integrated function) and where you place the IPS function in your network will dramatically affect the products you should consider.
The three most common options are a basic IPS in a firewall, a full IPS co-located in a firewall chassis, or fully freestanding IPS.
Basic IPS in a firewall, focusing on behavior and protocol anomalies, is an excellent choice if you have a good patch and security management policy in place on all internal servers, specifically those accessible from the Internet. In that case, the additional layer that an IPS offers on top of existing firewalls and well-maintained systems is some protection from zero-day attacks as well as DoS attacks.
Some firewalls have an "IPS function" placed into the device simply to satisfy a checklist requirement as part of a unified threat management (UTM) offering. These IPSes should be avoided, both because of their low level of threat protection and because of their awkward and unusable management systems.
Full IPS in a firewall is the best strategy if your main concern is Internet-sourced attacks and, to some extent, identifying internal systems that have
Standalone IPS products are most appropriate in two environments. Most obvious is when the goal of the IPS is to protect a set of systems from external and internal threats. By pushing the IPS closer to the systems being protected (rather than the Internet), the IPS protects against all attackers.
The second environment is one where IPS and security auditing are organizationally divorced from firewall configuration. For example, in some organizations faced with regulatory compliance issues, IPS and IDS tools are managed by an audit group that is separate from the security operations team.
This was first published in February 2007