In recent years, analyst firms and vendors have all jumped on the bandwagon using the terms Next Generation Firewall (NGFW) and Next Generation IPS (NGIPS). The key to both technologies is application visibility, and the difference between the two technologies depends on which vendor you ask.
Martin Roesch helped to invent the modern IPS as the creator of the open source SNORT IPS, and is the founder of SourceFIRE. Roesch is an engineer and doesn’t care much for marketing terms. In a video interview with Enterprise Networking Planet, Roesch details his views on the current state of network security and why IT security pros really need to look beyond the network access point for real security.
“You really need to have as much awareness as you can muster,” Roesch said. “What we say internally is if I can identify something, I should be able to control it.”
SourceFIRE’s platform provides both NGIPS and NGFW as well as advanced malware protection capabilities. While SourceFIRE’s platform can handle a vast spectrum of threat activities, Roesch does not call the system a Unified Threat Management (UTM) platform.
Network Control Point
Roesch explained that UTMs as a technology device typically have termination on them and can include have mail gateway and VPN proxies.
“We don’t call our platform a UTM as we feel it is a more enterprise-oriented feature set that is not really developed around proxying or terminating connections and acting as a front end to a mail or web server,” Roesch said.
He added that SourceFIRE is primarily interested in threats. Those threats are dealt with by way of access and policy controls.
“What I call it – and I’m an engineer so I come up with bad names for things – I call it a Network Control Point, because that’s what it is and does,” Roesch said.
The Network Control Point is a critical foundation for enterprise network security. In Roesch’s view, security starts by maintaining the integrity of an environment, which is all about dealing with threats.
In order to deal with threats, there needs to be a point of presence on the network as well as on the end-user devices.
SourceFIRE developed a technology called Real-time Network Awareness (RNA) that maps a network based on the traffic that is seen. RNA is now used by SourceFIRE to help set policy and build a real-time configuration for an environment.
“We talk about visibility as a function unto itself as opposed to just a feature set,” Roesch said. “Visibility is the foundation of doing security.”
In recent years, the network security industry has also embraced the term WAF (Web Application Firewall) as a technology to protect against web application threats.
Though SourceFIRE does not have its own standalone WAF technology, Roesch argues that his SNORT IPS can be used to achieve a similar function.
“It’s more of a focus thing, than a can it do it or not,” Roesch said. “We’ve never focussed on that sector because it’s not usually why people hire us – people hire us to keep threats off their network.”
While there is a never ending array of threats that attack modern networks, Roesch sees organization inertia as being a key challenge.
SourceFIRE now has elements in its portfolio for both network and desktop security. The challenge is that in many organizations, security is siloed with network security pros standing separate from the desktop.
“I think that organizational structures that too many enterprises have are directly contrary to their security interests these days,” Roesch said.
In Roesch’s experience IT security operations are often distinct from IT as a whole. In contrast, he sees security as the foundation for IT. From a security perspective, the problem that IT security should be aiming to solve is all about keeping people from breaking into a network.
“Security is not access control, security is threat prevention,” Roesch said. “Access control can be a part of that, but it’s not the beginning and end of it.”
Watch the video interview with Martin Roesch, founder of SourceFIRE below: