Published: 01 Nov 2003
"The first question I'm asked -- always -- is do I need a firewall and an IDS and an IPS? If I buy an IPS, can I get rid of either my firewall or IDS?" says Hart Rossman of SAIC, a research and engineering company providing information technology, systems integration and e-business solutions.
"I've counseled that IPS doesn't replace firewalls -- at least at this point in time -- and it doesn't replace your switches," says Rossman, SAIC's system VP and technical director of enterprise security solutions. "But there's a strong case to be made that IPS can replace your IDS systems, depending on how far your IDS deployment is and how far your incident response plan takes advantage of IDS data."
Security switch/intrusion prevention appliances are getting customer attention and some traction in the market. The prime reasons are consolidation and performance, says Vigilar's Joseph Dell.
"Number 1 is consolidation," says Dell, technology director for the infosecurity and risk management consultancy. "A layered security model means you've got firewalls, IDSes, authentication servers and encryption servers. The complexity becomes unbearable, from both a business and technical perspective.
"Number 2 is performance. We have customers that are 2 Gbps in and 2 Gbps out of the organization. They're using that bandwidth 100 percent of the time." Traditional solutions just don't have the muscle for complex security processes, says Dell. The new appliances, with multiple custom processors performing numerous functions on a single packet or data connection, overcome that bottleneck.
Hart Rossman, SAIC
The challenge with security switches, says Rossman, is that they lack the sophistication to replace existing switches inline, so you're still adding some complexity to your environment. "You have a series of inline devices that overlap in many areas but can't quite replace each other. But you have to manage them all."
Therefore, Rossman recommends deploying the appliances in the DMZ, and at convergent points in the network. This strategy gives you the advantage of IPS capabilities without a general perimeter deployment.
OK, but with heavy investments in traditional firewalls and IDSes -- and tight security budgets -- who's going to buy?
Rossman sees a lot of health care and federal government customers -- civilian and military. The health care interest is dampened to some extent by organizations' heavy IDS investment.
"They're a little more tepid about IPS because they've already ramped up to deploy large IDS grids," he says. "It's difficult to go to your boss for a whole new class of devices to solve a problem you just claimed you've already solved."
Government is another story.
"The government made a move to support IDS on a fairly significant scale and isn't getting the return on investment it expected in terms of getting actionable intelligence out of the devices," says Rossman. The IPS market is looking "very promising," and post-9/11, agencies are getting money for pilot programs.
Dell says he's seeing a lot of companies looking to IPS to replace obsolete products. "They're in refresh mode. They installed firewalls in 1999 and 2000, and the products are at end of life." Those companies are looking seriously at the new appliances, drawn by the promise of fewer and faster devices -- at less overall cost.
The corporate trend towards merging of network and security functions gives security switch vendors a good chance to get their foot in the door.
"The security people handled the firewalls and the IDSes, the network people the routers and switches, and the two hated each other," says Dell. Now security is becoming more of a policymaker role in large organizations, and network groups are taking over security operations. With the distinction between network and security devices fading, companies like F5 Networks and NetScaler, for example, can approach organizations with security pitches, he says.
"In the past, if you were selling security, you talked to a security group. If you were selling performance, bandwidth or quality of service, you were talking to the network group. That's no longer the case," Dell says.