February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Andre Yee
Andre Yee's Security Insider
 An open dialogue about security and compliance for the enterprise.

« McAfee Acquires Citadel Security | Main | Bruce Schneier on The Future of Privacy »

October 05, 2006
How to Select an IPS

Joel Snyder of Opus One has just published a paper entitled "Six Integral Steps to Selecting the Right IPS for Your Network". It's hosted on Juniper's site but it's actually somewhat vendor neutral. Joel is a knowledgeable security consultant and a very good writer which is a rare combination. I think this paper is quite insightful and offers practical advice on how to think through the selection process. Speaking as the CEO of NFR Security, a vendor in the IPS space, this paper is much needed in what must be a confusing market for buyers of IPS technology.

Joel offers some good solid advice. Here are his six steps:

Step 1: Why am I buying an IPS?
Step 2: Determine Security Parameters and Coverage
Step 3: Determine Your Performance Requirements
Step 4: Determine Form Factor Requirements
Step 5: Determine Security Management Requirements
Step 6: Evaluate an IPS

Here's what I liked about his paper in general:

First, Joel does a nice job not naming names or endorsing any particular vendor. If this paper is to be objective and helpful, it needs to stick to that tenet and it does. Second, It may seem like common sense, but many users don't understand how to systematically think through the evaluation/selection process and this paper offers a very solid approach to doing so.

Also, he calls it like he sees it. I can't say I agree with every single thing he says (I'll get to that later) but he's generally knowledgeable and intellectually honest when he calls out the limitations of Snort IDS embedded in these Unified Threat Management (UTM) boxes. Here's a sampling -

"...some firewalls have an 'IPS function' which was placed into the device simply to satisfy a checklist requirement as part of a UTM offering....these IPS features are based on some version of the Snort IDS engine..."

"Although Snort does a poor job as an IPS...this isn't the main reason why these embedded IPS functions in UTM firewalls should be avoided. The real problem with embedded Snort-based IPS in UTM devices lay with system management."

He goes on to explain how Snort's over 6000 rules can be a real challenge to manage in a UTM and hence limits the ability to keep false positives at an acceptable level. Joel Snyder deserves credit for finally blowing the whistle on what UTM/embedded Snort implementations really deliver. It's not a real IPS solution and probably never will be...but if all you want is to mark a checklist, then I guess it's ok.

Other good points in his paper include his emphasis on how important management capability really is. If you're deploying more than 3-4 sensors, manageability of the system is critical to the decision process.

Here are a few points of disagreement, mostly minor but I thought I'd list them.

Near the top of the list of my concerns is his categorization of the "behavioral IPS". I'm not 100% certain of what he means by behavioral IPS but if he's talking about pure play netflow analysis/user pattern analysis vendors like Arbor Networks or Lancope, I'm not sure that those products qualify as IPSs under generally accepted definitions. Most experts believe that a requirement of an IPS is to run inline, hence possessing the ability to block in real time. I don't think most of what is classified as behavioral systems run inline. No slight intended to Arbor or Lancope since both are excellent products but my perception in speaking with several enterprise customers is that behavioral anomaly systems are viewed as niche, marginal and supplementary to an enterprise security architecture.

I also think his "hard categorization" of signature based versus rate based IPSs can be unintentionally misleading. The truth is that most IPS's offer some measure of multiple protection techniques. I know that NFR Security's Sentivist product uses a hybrid detection model that incorporates a mix of signature based, protocol anomaly based, rate based and policy based detection. However, he does qualify by speaking about every product having a "sweet spot" which I agree with.

Overall, it's an excellent paper and a very worthy read. If you're shopping for an IPS, take some time to check it out.

Posted by andreyee in IPS/Firewall Technology |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/763

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
RSS Subscription

Recent Posts
Categories
Archives
Blog Roll
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map