Gartner analysts Greg Young and John Pescatore examine where intrusion prevention systems are heading.
The network intrusion prevention system (IPS) market subsumed the intrusion detection system (IDS) market several years ago. IPS contains all the detection features of IDS, with two critical areas of improvement:
- Intrusion prevention moves beyond simple attack signature detection to add vulnerability-based signatures and non-signature detection capabilities.
- Network IPS sensors operate at wire speeds to enable in-line automated blocking and attack handling. Network IPS adds "block attacks and let everything else through" security enforcement to the "deny everything except that which is explicitly allowed" policy enforcement that first-generation firewalls provide.
The primary driver for network IPS remains protecting the enterprise from network-based attacks that target system and software vulnerabilities. The primary placement point is at the internet edge, with secondary placements in branch offices, the datacentre and, less often, the internal network.
IPS is used as a "prepatch shield" to provide positive protection from attacks seeking to exploit known vulnerabilities until patches have been deployed and verified. Most vendors issue vulnerability-facing IPS signatures within 24 hours of patch release, which is invariably faster than an enterprise's ability to patch systems in a measured manner. The reality is that not all vulnerable systems are patched, or new vulnerable systems join the network, and attackers continue to try to exploit vulnerabilities for which patches have long been available.
For this reason, IPS signatures never really go away, and the ability of IPS products to maintain data throughput with large signature lists is critical.
The nature of the most damaging attacks on businesses continues to evolve. Financially motivated attacks do not simply go after unpatched PCs and servers; they are increasingly using targeted malware that does not seek to exploit vulnerable software. These targeted attacks (such as botnet-based attacks) use social engineering techniques to trick users into installing malicious software, and then exploit systems from within the perimeter.
Dealing with this changing threat requires more than simple, signature-based detection. IPS vendors have not made major advances in detecting and blocking these advanced attacks, sometimes called "arbitrary malware". The challenge in combating arbitrary malware is in better handling the "grey list", or suspicious traffic that is neither known good (white list) nor known bad (black list).
There have been some increases in "zero-day" attacks, which take advantage of computer security holes with, as yet, no solutions. Approaches to deal with zero-day vulnerabilities are less controversial lately, but their value must be kept in perspective because they are considered in few product selections.
IPS market size growth continues
|More guides to network security|
The market for separate network IPS and firewall devices grew at 11.7% in 2008, although the rate of growth is flattening to half that seen 2007. The absence of innovation by firewall suppliers in producing next-generation firewalls (NGFWs) that include full IPS capabilities has produced upward pressure on the growth rate, while the increased market penetration of IPS is a larger downward pressure on the growth rate.
The macroeconomic condition had some impact on IPS sales, because many enterprises postponed refresh decisions. But Gartner believes that more of the growth slowdown is due to lack of innovation by IPS suppliers in addressing new high-visibility threats.
Gartner observed an increase in US government purchases in the last quarter of 2008, tied to spending on the Comprehensive National Cybersecurity Initiative deployment of intrusion detection at federal agency internet connections.
The past 12 months have seen many suppliers announce 10Gbps IPS products. Sales of these products remain niche. These 10+Gbps models more often act instead as "growth insurance" for customers purchasing lower-throughput models. That is, they want assurance that should their needs change, there are higher-end models they can step into.
Signature quality remains a primary selection factor
When enterprises compare products, signature quality remains the most weighted and competitive factor on shortlists. Most suppliers employ some form of external vulnerability research as an input to signature creation. Gartner sees a widening gap in signature quality among suppliers. The staff and investments that leading IPS suppliers have assigned to signature research are generally greater than the competition. There are no shortcuts to signature quality, and we believe vulnerability and malware research will continue to shape the market into tiers.
Customers seeking best-of-breed protection will shortlist based on high protection quality, which includes signature quality, as well as capabilities for detecting and stopping new threats. Enterprises seeking "good enough" protection as a result of, for example, not having resources or the security profile to be able to enable new signatures quickly, will seek out the second tier of signature-quality products.
Investment in purpose-built hardware will continue to buoy up performance under the immutable inspection pressure of new signatures being added to address new vulnerabilities, and older signatures staying in place to guard against older, yet still potent, attacks. Some suppliers have already "blinked" in the face of this competitive pressure and are vague about inspection throughput. Enterprises are advised to avoid any supplier that does not provide third-party demonstration of appliance throughput rates with inspection enabled.
The creation of custom signatures by users is slightly increasing, although it is in place in less than 20% of deployments, mostly for custom applications or unusual protocols. Most of these enterprises seek assistance from their IPS suppliers in creating or troubleshooting these signatures. Increasingly, selections will include correlation of alerts, including those from other safeguards, within the IPS itself. The use of source "reputation" inputs as part of the IPS blocking decision process will play an increasing role. As part of this enterprise requirement to reduce the grey list, IPS events can be valuable in building confidence in the risk of other events, or vice versa.
Most suppliers include in their base pricing bypass unit modules enabling fail-open for copper ports, with bypass units for optical ports at an additional charge. Recently, a higher number of IPS selections by Gartner customers have been from enterprises where there is neither an incumbent IPS nor IDS. These enterprises face the hurdle that deploying IPS is a new task for personnel, unlike migrations from IDS where a task is replaced. Infrastructure buying metrics such as port density, cost/port and physical appliance size are not generally seen as IPS selection criteria in enterprises. Rather, ease of deploying in-line and ease of administration are key selection criteria.
Rate-limiting capabilities are in most IPS products. Some also have quality of service (QoS) that goes beyond respecting the external QoS tags and can prioritise bandwidth based on security criteria or protocol type. IPS operating as a post-connect network access control (NAC) enforcement point remains niche, mostly because most NAC implementations have yet to enable enforcement. Data loss prevention (DLP) in IPS also will continue to be niche, as DLP is not a good fit for in-line IPS blocking. Only DLP suppliers that also have IPS products are likely to have some correlative or other interaction. Most DLP in IPS today is limited to searching on credit card and Social Security numbers, bringing a high false-positive rate absent of the context present in true DLP products.
This is an excerpt from "The Gartner Magic Quadrant for Network Intrusion Prevention" by Greg Young, research vice-president, Gartner Research, and John Pescatore, vice-president and research fellow, Gartner Research. To find out more, visit the Gartner website.
This was first published in April 2010