I’ll also tell you a secret: you can have best of breed IPS in an integrated solution, but more on that later. First, however, let’s talk about why best of breed IPS is superior to an IPS that is developed for and merely part of a converged solution.
Why? Because best of breed solutions provide a high fidelity offering, including:
• Protection: The ability to detect all attacks with a high degree of accuracy while also being difficult to evade.
• Performance: Devices are carefully designed to provide maximum capability at maximum performance.
• Flexibility: Devices are focused on doing a few things very well and tend to be very flexible. A great example of this is our Next Generation IPS at Sourcefire. It’s very safe to say it is the most configurable solution of its kind.
• Research: Systems that are backed by continuous content updates (IDS/IPS, antimalware, vulnerability management, etc.) provided by a dedicated research team that is responsible for developing content and performing original research in order to maintain cutting edge capabilities.
When you look at the solution that Sourcefire offers you can see all of these concepts in play. In the latest round of NSS testing it can be seen that Sourcefire’s IPS solution offers the best detection capability, anti-evasion, vulnerability coverage and performance of any IPS. Not only that, but we continue to research new detection methods and expand the capabilities of the underlying Snort engine at every opportunity to maintain our leadership in this industry.
Integrated solutions have a different set of parameters that they work under. The goal of an integrated system that incorporates a function like IPS is generally not to provide the best IPS, but instead to provide a “good enough” capability along with several other core features and deliver a lot of functionality for a lower cost. The reasoning is that if security is made easy for people to acquire and manage “under one roof” we’ll see more adoption of expanded functionality and, therefore, better security.
Logically this makes sense, and experience shows that you can integrate commodity functionality and not sacrifice too much capability. Unfortunately, this model can break down when it is applied haphazardly via poorly coupled technology integration, or if too much is asked of a device.
Generally speaking, the more functionality a device has, the more computing power it requires. When devices inevitably become overloaded and impact network performance, the first thing to go is the quality of protection the solution provides; users rapidly lose focus on the reason that they bought the solution in the first place.
Unified Threat Management (UTM) tools are the worst offenders here. Security all too frequently goes from a model of “protect us from the threats we face” to “protect us from the top 10 threats on the Internet and don’t impact anything.”
Some vendors try to address this problem by building custom hardware and chips in order to field a larger detection set with merely acceptable performance, but all too often this comes at a price of protection quality and flexibility.
All of that said, best-of-breed technology can be part of an integrated solution, and can function well, but it needs to be built with a much different philosophy than described above. Sourcefire’s approach as we built our own next-generation firewall was to concentrate on bringing proven best-of-breed technologies together in a way that was effective and powerful without sacrificing detection quality, performance or flexibility.
This no-compromise approach to attacking the problem is what we believe to be a new model for building security platforms that can run standalone best-of-breed technologies, or as an integrated solution that still provides the best protection available against today’s threats.
Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. With solutions from the network to the endpoint, Sourcefire provides customers with Agile Security that is as dynamic as the real world it protects and the attackers against which it defends.