IPS: Best of breed or integrated solution?

The age old question about whether to go with best-of-breed products or integrated solutions is particularly salient when it comes to intrusion-prevention systems. Security is an area where you need the best possible point product, the best of breed folks argue. But the evolved threats require a more holistic view that can only be achieved by taking more factors into account, the integrated solution suppliers counter. Who is right? You decide.

The Experts
Martin Roesch
Martin Roesch

Founder and CTO of Sourcefire says you need to specialize to do the IPS job properly, which means best of breed is the way to go. View debate

Wade Williamson
Wade Williamson

senior security analyst at Palo Alto Networks argues that the landscape has shifted, and that the only way an IPS can provide adequate guidance is if it takes the whole picture into account. View debate

Martin Roesch

Demand the best

For more than a decade now, we’ve heard about how “security technology X” is going to disappear into “device Y” because buyers love convergence. But despite the surety of the prognosticators one fact remains -- there is still a large and growing requirement for best of breed intrusion prevention systems (IPS).

I’ll also tell you a secret: you can have best of breed IPS in an integrated solution, but more on that later. First, however, let’s talk about why best of breed IPS is superior to an IPS that is developed for and merely part of a converged solution.

Scaling intrusion-prevention systems for 10G, 40G and beyond

Why? Because best of breed solutions provide a high fidelity offering, including:
• Protection: The ability to detect all attacks with a high degree of accuracy while also being difficult to evade.
• Performance: Devices are carefully designed to provide maximum capability at maximum performance.
• Flexibility: Devices are focused on doing a few things very well and tend to be very flexible. A great example of this is our Next Generation IPS at Sourcefire. It’s very safe to say it is the most configurable solution of its kind.
• Research: Systems that are backed by continuous content updates (IDS/IPS, antimalware, vulnerability management, etc.) provided by a dedicated research team that is responsible for developing content and performing original research in order to maintain cutting edge capabilities.

When you look at the solution that Sourcefire offers you can see all of these concepts in play. In the latest round of NSS testing it can be seen that Sourcefire’s IPS solution offers the best detection capability, anti-evasion, vulnerability coverage and performance of any IPS. Not only that, but we continue to research new detection methods and expand the capabilities of the underlying Snort engine at every opportunity to maintain our leadership in this industry.

Integrated solutions have a different set of parameters that they work under.  The goal of an integrated system that incorporates a function like IPS is generally not to provide the best IPS, but instead to provide a “good enough” capability along with several other core features and deliver a lot of functionality for a lower cost. The reasoning is that if security is made easy for people to acquire and manage “under one roof” we’ll see more adoption of expanded functionality and, therefore, better security.  

Logically this makes sense, and experience shows that you can integrate commodity functionality and not sacrifice too much capability. Unfortunately, this model can break down when it is applied haphazardly via poorly coupled technology integration, or if too much is asked of a device.  

Generally speaking, the more functionality a device has, the more computing power it requires. When devices inevitably become overloaded and impact network performance, the first thing to go is the quality of protection the solution provides; users rapidly lose focus on the reason that they bought the solution in the first place.  

Unified Threat Management (UTM) tools are the worst offenders here. Security all too frequently goes from a model of “protect us from the threats we face” to “protect us from the top 10 threats on the Internet and don’t impact anything.”  

Some vendors try to address this problem by building custom hardware and chips in order to field a larger detection set with merely acceptable performance, but all too often this comes at a price of protection quality and flexibility.

All of that said, best-of-breed technology can be part of an integrated solution, and can function well, but it needs to be built with a much different philosophy than described above. Sourcefire’s approach as we built our own next-generation firewall was to concentrate on bringing proven best-of-breed technologies together in a way that was effective and powerful without sacrificing detection quality, performance or flexibility.

This no-compromise approach to attacking the problem is what we believe to be a new model for building security platforms that can run standalone best-of-breed technologies, or as an integrated solution that still provides the best protection available against today’s threats.

Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. With solutions from the network to the endpoint, Sourcefire provides customers with Agile Security that is as dynamic as the real world it protects and the attackers against which it defends.

Wade Williamson

Integrated is best of breed

The debate between an integrated or best-of-breed approach to IPS is a false choice. Today, the best-of-breed approach to IPS is the integrated approach, and both the threat landscape and the security industry itself bear this out.

For more than a decade, the security industry has attempted to solve each new security challenge with a new specialized box. This approach is both operationally impractical and ultimately ineffective. Separate systems create silos of information, lead to device sprawl across every network segment, and generate management and operational overhead.

Test: Palo Alto PA-5060 is one fast firewall

Just as importantly, as attacks have grown more sophisticated, isolated solutions lack the all-important context needed in order to detect and remediate complex modern attacks.

Modern IT security threats have long since evolved beyond the types of attacks that a stand-alone IPS was designed to solve. Today’s attackers don’t limit themselves to simply running a vulnerability exploit. Instead they use a blend of exploits, malware, remote access tools, infected URLs, and even unknown or customized threats, all of which are further enabled by a variety of applications that can proxy, tunnel and encrypt threats in order to evade and hide from traditional security.

To stop these types of threats we must ensure visibility into the traffic itself, control all of the various threat disciplines and do it all in context. A stand-alone IPS does none of these things, and is a leading reason why all of the stalwarts IPS vendors have either been acquired by larger network security vendors or are rushing to develop their own “next-generation” firewalls.

I’m sure the statements above raised a few hackles, so let me provide a bit of support. First, any modern discussion of cyber-threats should begin with understanding how threats hide from security. An IPS will miss every threat that it can’t see or is looking for in the wrong place, so the battle can be lost before traffic ever reaches the IPS. This is where an integrated solution provides important context and control that a stand-alone IPS lacks.

As an example, consider how applications are regularly used to hide and conceal threats. They can encrypt traffic, hop ports or tunnel within other applications to show up in unexpected places. This is important given that IPS signatures are typically applied based on port (e.g. apply signature X on ports Y through Z). If the threat shows up on a port outside the expected range, then the signature never executes.

Beyond evasive applications, proxies, remote desktop tools, compressed traffic and purpose-built circumventing tools like UltraSurf and Hamachi can all help an attacker avoid detection. By contrast, a next-generation firewall inspects all traffic regardless of port, so port evasion has no effect. Furthermore it progressively decodes protocols and applications so traffic can’t hide within and controls all application types so circumventors aren’t allowed on the network.

The problems for dedicated IPS don’t end with applications. A modern network threat will blend vulnerability exploits, various types of malware and remote websites and servers. All of these components work together as part of the attack, and each piece may be known or unknown to the security industry. Stand-alone IPS only understands one of these components – the known vulnerability exploit – while missing the rest.

In fact, it’s hard to envision a reasonable approach to modern “intrusion prevention” that doesn’t account for the complexities of modern malware, which is often both the infection agent as well as the ongoing mechanism of control. An IPS may detect the odd virus here and there, but not the millions of malware samples that pose a threat to the network. An IPS may detect a few known bad URLs, but lacks the daily update of millions of websites to track sites that have been infected or are distributing threats. In modern threat prevention context is king, and a single-function solution doesn’t have it.

Furthermore, IPS products are limited to known vulnerabilities. While all modern IPS solutions use vulnerability signatures, this is still a signature based on something that is known. Anything truly unknown will be passed on.

Malware command-and-control traffic regularly presents as unknown traffic in a network. Unknown or uncategorized URLs can be the sign of an attack because attackers will quickly set up and tear down URLs to make themselves more difficult to track. IT will need the ability to test unknown files for malicious behavior. These are all things that are beyond what an IPS does, but they are all critical to actually preventing intrusions.

As a result, the debate between stand-alone vs. integrated IPS is relatively settled (at least for the time being). As the bad-guys have evolved from single-shot exploits to multi-dimensional, multi-vectored threats we can only play into their hands if we continue to artificially segment our network security intelligence and enforcement into specialized silos.

Palo Alto Networks is the network security company. Its next-generation firewalls integrate application, content and user-aware firewall technology with IPS, antivirus, cloud-based antimalware and other technologies to stop threats and prevent data leakage in the enterprise.

Want more Tech Debates? Check out our archive page

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies