What is an IPS, anyway?

By Joel Snyder
Network World, 08/04/03

Original Article on Newtork World Web Site

During Network World's recent Security Technology Tour, we received a lot of questions about intrusion-prevention systems. The problem is that there is little agreement on what an IPS really is.

The security experts on the tour agreed on one thing: An IPS must be inline. That is, packets have to move through the IPS to prevent intrusions. While the idea of resetting connections and changing firewalls is a good interim step, enterprise-class intrusion prevention will require that the IPS handle packets, dropping them when something is wrong.

A second assumption about IPS is that it is a "permissive" technology. In other words, an IPS will drop a packet if it has a reason to, but the default behavior is to pass traffic along. In contrast, a firewall is a "prohibitive" technology: It lets a packet through only if it has a reason to.

Obviously, firewalls are also intrusion-prevention devices. Some experts say that all IPS vendors are talking about is what firewalls should be doing. But the difference in the orientation of these technologies suggests that they are not the same.

More importantly, because they are different, you can use a firewall or an IPS or both at any point in your network. At the perimeter, it's reasonable to expect that a firewall also will have an IPS built in. But at the core of the network, inline IPS might be built into switches and routers.

How do you convince purse holders to buy into IPS? There's no easy answer to that. The "fear factor" approach can be useful. Make the decision-makers afraid. Point out the new legislation regarding liability. And perhaps you'll see the money start to flow. But that's not a long-term solution.

For some, an IPS can be justified on the "nuisance factor" instead. By blocking the thousands of Code Red and MS-SQL Slammer attacks coming into the network every hour, the load on the firewall is lightened, the Internet connection is faster and the Web server logs are easier to analyze.

For others, IPS justification will have to be part of a larger program of security, justified on the basis of traditional ROI analysis.

What's clear from tour attendees is that wrapping a firewall around the perimeter is no longer sufficient to meet the needs of modern networks. Technologies such as IPS need to be pushed into the network, not just at the edge, but throughout the entire infrastructure.