Next-Generation Firewalls Poised to Eclipse Intrusion Prevention Systems
January 20, 2012 Leave a comment
- Readers who are considering adding new IPSs to their network should ask what their suppliers’ plans are for next-generation firewall (NGFW) features and how far along they are in delivering those.
- Additional features that come with a NGFW make it a more complex security tool to manage, and enterprises should be prepared to invest in training should they plan to add NGFWs to their arsenal.
Are standalone IPSs becoming the next stateful packet inspection firewall (i.e., an old perimeter security technology that is required but no longer sufficient for protecting enterprise networks)? Sophisticated and well-financed malware writers consistently find new ways of getting around existing and well-understood security controls such as the firewall and IPS, even as those suppliers race to keep up with the constantly changing threat landscape. The result has been a constant stream of breach headlines (too many being rather spectacular) that all point to the rise of the so-called ’advanced persistent threat’ (APT). Enterprises looking to address such threats are coming to embrace the NGFW and the greater application and user context it brings to the fight against more sophisticated cyber attacks. The NGFW integrates the functions of a stateful firewall and IPS with the ability to identify applications and application-level attacks and apply granular policies to applications usage. One forecast puts the IPS market at $2 billion by 2014, while the NGFW market is projected to reach $4 billion by 2014.
Any IPS vendor which was caught off guard by the fast ramp in NGFW interest, spurred on by Palo Alto Networks’ rising star, is likely trying to market their IPS line as ‘next generation.’ Next-generation IPS products typically combine traditional IPS functionality with application, user, and content awareness. However, enterprises should be wary of such claims; they should be sure to look under the covers to see what the vendor is actually providing, as well as how integrated the various functions are. There will be the inevitable bolt-ons, and those are likely to cause performance problems and introduce greater management complexity.
Speaking of management complexity, NGFWs introduce a new level of operational overhead and usually require additional training and some ramp-up time to learn how to get the most out of this new and unfamiliar technology. For any network security engineer who’s gained a good level of proficiency at configuring and tuning an IPS, it is basically, “Here we go again.”
Still, it is unclear that enterprises will replace their existing IPSs with NGFWs. One study sponsored by Sourcefire suggests that 55% of surveyed enterprises worldwide are looking to augment existing security mechanisms with NGFWs, rather than replace them. Of course, Sourcefire has a good reason to advance that idea: it now derives the lion’s share of its revenue from its IPS line, and the company introduced its first NGFW only last month. Regardless, old threats do not necessarily go away; they get turned into malware toolkits sold in the cyber underground to less well-financed and sophisticated attackers. So, the IPS, like the rather rusty stateful packet inspection firewall, will likely be relegated to the bottom of the security team’s toolbox as the shiny new NGFW goes mainstream.