Network Intrusion Prevention Buyer's Guide
What does it really take for a Network Intrusion Prevention Systems (NIPS) to defend your business from advanced threats and zero-day attacks? Learn about the features you should look for.
Over the years, the network threat landscape has evolved from hacking for fun and fame to commercialized and targeted persistent attacks. Along this rocky road, Network Intrusion Detection and Prevention Systems (NIDS / NIPS) became an enterprise best practice--now widely considered essential at the network edge as well as at key junctions leading to high-value, mission-critical assets (e.g., data centers). A NIDS focuses on spotting attacks by analyzing observed packets with various methods, while a NIPS attempts to automatically block detected attacks based on policy.
According to Gartner, the worldwide market for stand-alone IPS products reached $939 million last year, up 5 percent from 2009. Growth rate was down from 2008, reflecting both a weak economy and displacement by network-generation firewalls with embedded IPS capabilities.
In this buyer's guide, we examine the capabilities and features offered by some of today's best-selling NIPS appliances. Although the specific business needs of each enterprise network may differ, we look at key questions that every enterprise should consider when shopping for solutions in this enterprise network security device category.
Fitting NIPS into your network
A NIDS is composed of passive devices--sensors--which are typically dropped from network taps or connected to switch mirror ports. But, given that NIPS must not only detect attacks, but actively stop them, NIPS is an active in-line technology, often situated in between "the unknown untrusted outside" and "the valuable trusted inside."
However, this placement does not mean NIPS is always used to block suspicious traffic. In fact, Gartner estimates that 25 percent of enterprise NIPS are initially deployed in an "IDS-only mode," with blocking features disabled. Administrators start by watching what the NIPS actually detects to build confidence and hone policies, without risking business disruption. Advanced detection and blocking features tend to be enabled over time, depending on each organization's tolerance for risk (false negatives) versus downtime (false positives).
Furthermore, a stand-alone NIPS appliance is not the only available form factor. Many SMBs and branch offices prefer to deploy perimeter firewalls with embedded IPS features (such as Unified Threat Management appliances). Some enterprises would rather bolt an IPS blade into a data center switch (or slip an IPS card into a router) instead of dropping in an IPS appliance. It is common for network equipment vendors to offer form factors that fit into several of these deployment models, all powered by the same IPS engine. Choosing a network architecture to best fit a given business scenario is therefore an essential part of NIPS selection.
Finally, when choosing any in-line security technology, it is important to consider what happens when systems reach capacity or fail. Consider how a NIPS can be scaled (e.g., by adding appliances/cards, managed by the same console). Examine load balancing and high availability features and ask whether the NIPS "fails open" (i.e., permits all traffic without blocking to avoid business disruption).
Inspection depth versus speed
NIPS performance and therefore design is influenced by the need to inspect traffic at near-wire-speed versus the need to reassemble messages and drill deeply to match patterns, observe behaviors, and enforce policies. If you plan to deploy NIPS at a large network's perimeter or in front of a server pool with high transaction volume, be sure to compare throughput requirements to product benchmarks - measured with IPS enabled. Policy number and complexity can have a significant impact; the stand-alone NIPS market has been moving to purpose-built hardware to meet ever-higher expectations.
However, deployment location can also impact required depth. Network edge and branch office NIPS are often deployed as relatively coarse measures, ensuring that common easily-recognized threats cannot get very far. Narrowly-focused data center NIPS are more likely to drill deeper - for example, searching for database threats, web apps threats, and behavioral anomalies. Thus, business goals and likely impact on policies should be considered when establishing both performance and functional requirements. Don't be fooled by a speedy product that cannot detect threats of importance to you.
In fact, Gartner reports that 65 percent of new NIPS deployments stick to basic vendor-recommended configurations; just 10 percent of enterprises end up aggressively using advanced features like custom signatures and network behavior analysis. This suggests that many organizations could be getting more value out of their NIPS investments, given a better understanding of capabilities, easier ways to put them to work, and higher confidence that utilizing them would not impede legitimate traffic.