Intrusion detection and prevention may have faded into the background in recent years as the technology has been assimilated into larger network security product suites. But intrusion prevention systems (IPS) are still advancing with next-generation features to tackle full stack inspections and add more intelligence to standard functionality such as event correlation and contextual analysis of threat information, according to Stamford, Conn.-based market research firm Gartner.
Advanced threat detection is another feature of next-generation IPS. Many standalone IPS products will add some form of threat intelligence, predicts Gartner. At the same time, threat intelligence vendors are moving into the intrusion detection and prevention space with integrated product offerings.
Notice how Cisco's winning entry in this year's contest is reflective of those market trends -- and the result of major technology acquisitions. In the past year, several companies have acquired pure play IPS and related technologies. Those strategies have paid off, according to our readers.
Winner: Cisco FirePower Next-Generation IPS, Cisco
In 2013 Cisco acquired pure play security company Sourcefire, which has in turn played a big role in the networking giant’s security business. Sourcefire specialized in intrusion prevention appliances based on Snort, an open source intrusion prevention technology. The Cisco FirePower Next-Generation Intrusion Prevention System (NGIPS) gets the next-generation moniker for its contextual analysis of potential threats or suspicious activity. Instead of just basic traffic analysis and pattern matching, a NGIPS uses a broader range of data and analysis.
The Cisco FirePower NGIPS is designed to give customers full stack visibility of the enterprise network with contextual analysis of network behavior, which includes event data for applications, devices, operating systems, cloud services, files and potential threats. The product has a passive intrusion detection mode for notifications of suspicious activity and an inline intrusion prevention mode to block threats. The product comes with a host of capabilities such as user and user group control, automated tuning and file type determination. The NGIPS can generate IT policy compliance whitelists and perform automated impact assessments and custom IPS rules. In addition to the analysis capabilities, the Cisco FirePower NGIPS can be expanded with optional features such as application inspection and control features for more than 1,800 applications, plus URL filtering for more than 280 million domains and more than 80 categories of domain types. Customers can also manage hundreds of FirePower appliances through a central point with the Sourcefire FireSight Management Console. And the FirePower appliances are built with a low-latency, single-pass design to give the hardware increased capability.
Readers gave the Cisco FirePower NGIPS high scores particularly for its ability to detect and prevent threats as well as distinguish false positives. The explosion of applications -- both on-premises and in the cloud -- within enterprises has made application-based inspection a hot commodity, according to Adam Hils, research director of network security at Gartner. "FirePower brought an important component to Cisco's security with its IPS technology," he says. "Application inspection is becoming an expected feature for IPS and firewall products."
Winner: Fortinet Fortigate (Fortiguard IPS), Fortinet Inc.
If mention of Fortinet brings to mind the product bundling that is the very definition of unified threat management (UTM) devices, that's not wrong, but Fortinet excels in specific categories as well. It also doesn't mean that the company only plays in branch offices where UTM flourishes. Some of the boxes Fortinet builds these days manage throughput right up to 160 Gbps and multiple 40 GbE, Quad (4-channel) small form-factor pluggable ports and are thoroughly at home in the network core.
While on the subject of hardware, we should mention that one thing that sets Fortinet apart is its development of custom application-specific integrated circuits for bespoke processing scenarios. Dubbed FortiASIC technology, there are ASICs that handle content inspection acceleration, a network flow chip that handles basic firewall tasks along with VPN and IPv6 translation, and a Service Organization Control 2 version that combines several of these elements into a single package, making higher performance more affordable in the entry-level devices.
Riding atop the hardware, the FortiGuard Intrusion Prevention Service can be deployed on any FortiGate Next Generation Firewall or FortiWiFi wireless security box. The IPS uses a customizable database of more than 8,000 known threats to enable FortiGate and FortiWiFi appliances to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize as-yet-unseen threats. Because organizations are often looking to IPS for an additional backstop against APT-style disasters, the heuristic component is a particularly vital part of the mix.
Additionally, the FortiGuard IPS provides more than 3,000 application identity signatures for complete application control.
Signature update frequency was one of several elements that readers called out for special notice. They also liked the ease of installation (not surprising for a company that focuses on UTM equipment, where simplicity is one of the key virtues). Highest of all, though, was the reader rating for Fortinet's service and support. Basic, business hours support for Fortinet products comes free with purchase.
Send comments on this article to firstname.lastname@example.org.
Which products did readers recognize last year? Compare this year's results to the 2013 best of Intrusion Detection and Prevention.