Firewall vs. IPS: Will next-generation firewalls nix stand-alone IPS?

News analysis: Will the evolution of next-generation firewalls eliminate the stand-alone IPS market? Sean Martin discusses firewalls vs. IPS.

Firewall vendors are in the business of providing network security, and as network security challenges evolve,...

so must firewalls. As a part of this natural evolution, the firewall security engine has integrated intrusion prevention system (IPS) and other deep-packet inspection capabilities.

Many experts expect this general trend to continue as firewall vendors pack more security intelligence features into their devices, taking advantage of the strategic positioning that firewalls hold in customers' networks. The end result of this development could be a security gateway that is capable of monitoring the entire network.

Gartner Inc. predicted, in its 2010 Magic Quadrant for Network Intrusion Prevention Systems, that IPS market growth would slow due to the success of next-generation firewalls (NGFWs), and by 2015 NGFW deployments will consume at least 50% of the stand-alone IPS deployment market. Currently at the midpoint between 2010 and 2015, it's time to assess the accuracy of that firewall vs. IPS prediction.

Assessing the state of IPS capabilities in next-generation firewalls

At the Black Hat USA 2012 conference in Las Vegas, there were some indications that Gartner's prediction is on track.

The first sign was literally a sign. Well, it was actually a chart from an NSS Labs group test report that had been made into a sign and hung at the conference. The data from this report indicated that the IPS features within NGFW offerings are actually holding their own against stand-alone IPS products.

Next-generation firewalls, by definition, have intrusion prevention capabilities embedded into their core security engines. As NGFWs continue to develop, their IPS features and capabilities will be as good, if not better, than stand-alone IPS offerings. IPS functionality that is embedded in an NGFW can leverage tight integrations with the other NGFW capabilities and provide a single view of network threats, as opposed to information presented via two separate consoles. Some signs of this development are visible in the NSS Labs report.

I asked Steve Erickson, director at iT1 Source and a Dell SonicWALL reseller, about the trend of firewalls overtaking IPS and the option to sell a stand-alone IPS versus a NGFW+IPS.

"Traditionally we've positioned both stand-alone IPS and next-generation firewall appliances to our clients," Erickson said. "Previously, client need and budget determined the path -- one or the other, or both. Usually, the best-of-breed IPS would be selected over the built-in option. But, now that we have the option to offer an integrated appliance that includes IPS functionality that can hold its own, we have a much more compelling offering and can have a much more complete conversation with the customer."

Next-generation firewalls in the channel

When considering the elements for selecting the right NGFW with a built-in IPS, the NSS Labs NGFW report covers the following areas of concern:

  • Effectiveness
  • Resistance to evasion
  • Performance
  • Stability
  • Manageability
  • Total cost of ownership

According to Erickson, customers routinely ask iT1 Source to evaluate their networks and offer options. Sometimes, however, they approach iT1 Source with specific needs for which either type of appliance could work. "We always attempt to create a larger conversation in order to make sure the customer gets the correct and most complete solution," said Erickson.

An integrated appliance changes the game for the channel. The value-added services that the channel offers -- consulting, implementation, training, configuration, management, monitoring and response -- all need to adjust with the ability to provide an integrated offering. In this case, the integration reduces the amount of time consumption across nearly all the services, thereby saving the value-added reseller money. This, in turn, should save the customer both time and money as well.

Instead of managing security events coming from two separate machines, an administrator can now focus on a single system that provides a view into traditional firewall and IPS security events, as well as other insightful data. This minimizes some of the big data problems that have crept into network security management as a result of massive event generation. Ultimately, the resulting data must be read by humans, and when there is too much data to comb through, they begin to ignore it.

"Of course, we can offer training for and management of any of the devices we sell -- integrated devices or separate devices," said Erickson. "However, with the integrated option, such as that delivered by Dell SonicWALL, our customers benefit from the advanced integrated management features which enable us to manage many more devices at many more customer sites using a single pane of glass -- this dramatically improves the scalability of our service."

With integrated IPS capabilities proving to be more than capable, the NGFW+IPS market is picking up steam and the benefits are reaching the channels and their customers. Gartner's prediction that next-generation firewalls with built-in IPS capabilities will render the stand-alone IPS largely irrelevant looks to be on course, but with two more years to go in respect to Gartner's prediction, there is still plenty of time for new developments to shape the marketplace. How do you think the firewall vs. IPS trend will develop?

More on this topic

  • Understand the limits of firewalls when faced with sophisticated attacks and plan accordingly.
  • Learn how firewalls should be deployed for new types of security threats.

About the author:
Sean Martin, CISSP, is the founder of Washington DC-based security research and analysis firm imsmartin consulting. Write him at [email protected].

This was last published in September 2012

Dig Deeper on Network device security: Appliances, firewalls and switches