6 hot technologies for 2006: IPS

Fear unites us. We used to be afraid of network problems, such as bandwidth and broken switches. Now we're afraid of the bad guys. Our networks must be connected to the Internet, yet the Internet is a cesspool of attackers constantly hammering on our defenses, looking for that chink in the armor. It's not just the Internet: We fear our own users, lest their indispensable laptops acquire some vagrant affliction while driving by a Wi-Fi hot spot at Starbucks.

To assuage our fear, we need tools. There are those who want to sell all manner of software for PCs: personal firewalls, security checkers, virtual desktops, and NAC and NAP and TAP and other acronyms not yet invented. Network managers know that these are not the answer: The network must defend itself. Cisco's advertising slogan is not so stupid after all. And what better technology than an intrusion-prevention system (IPS)? Something you plug into the network itself, and it inspects packets and blocks the bad ones.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Barbarians at the gate: Intrusion-prevention systems are a must-have security tool for defending your network.

Fear unites us. We used to be afraid of network problems, such as bandwidth and broken switches. Now we're afraid of the bad guys. Our networks must be connected to the Internet, yet the Internet is a cesspool of attackers constantly hammering on our defenses, looking for that chink in the armor. It's not just the Internet: We fear our own users, lest their indispensable laptops acquire some vagrant affliction while driving by a Wi-Fi hot spot at Starbucks.

To assuage our fear, we need tools. There are those who want to sell all manner of software for PCs: personal firewalls, security checkers, virtual desktops, and NAC and NAP and TAP and other acronyms not yet invented. Network managers know that these are not the answer: The network must defend itself. Cisco's advertising slogan is not so stupid after all. And what better technology than an intrusion-prevention system (IPS)? Something you plug into the network itself, and it inspects packets and blocks the bad ones.

Every network needs IPS technology. All networks have firewalls, a basic protective technology. But the firewall is a mute guardian, seldom touched and rarely examined. It blocks all but a few connections that have been predefined as acceptable. Firewalls need to be updated with current software, but that happens semiannually at most.

An IPS is just the opposite: It is an active participant in protecting the network. By examining traffic that firewalls pass, the IPS asks a second question: "Is there a reason to drop this packet?" As attackers press through legitimate openings in the firewall, and as internal infections reach out to the Internet to spread further, the IPS represents a line of defense that the firewall does not pretend to offer.

There are some networks for which an IPS offers no benefit. If all your application and network servers are invulnerable to malicious data, and if all the systems inside your network are invulnerable to viruses, worms and Trojan horses, you can live without one. But for the rest of the networks in the world, IPS technology brings some real value.

When considering how to incorporate an IPS into your network, the most important thing is to understand that IPS is a technology, not a product. This means that although you can easily buy a stand-alone box that sits somewhere in your network, that's not the only way - and may not even be the preferable way - to get the benefits of an IPS.

In 2006, we will see IPS technology continue to be married directly to network-infrastructure components, specifically firewalls and switches. Well-known names in security and switching, including Check Point, Cisco, and Juniper, are all offering integrated devices, and the list of start-ups pushing into the integrated-device space gets longer every week. This is a clear trend; for many general-purpose networks, it's the right way to add IPS to an existing network.