IPS - to buy or not to buy

There’s been some debate about whether or not to purchase an IPS device to put in front a new online service. Some of you might be reading this and thinking “why wouldn’t you?” Well, granted, if it was a military system or an online banking service then I suppose it would be a no-brainer. Here in the security-suburbs, the answers are not so clear cut. Actually, neither are the questions.

<img alt="tippingpoint.jpg" src="https://cdn.ttgtmedia.com/ITKE/cwblogs/stuart_king/tippingpoint.jpg" width="300" height="100"

It’s not so much a question of “is an IPS required?” rather, does the loss impact potential warrant spending the money? We need to decide the point at which it becomes a necessity as opposed to an expensive but “nice to have” option. Here are some questions I’ll be asking:

  • Is the service strategically important to the business?
  • Are there high revenue expectations?
  • What are the regulatory requirements?

We should also revise the benefits of an IPS device. This is fundamentally detecting the presence of unwanted network traffic in three main categories:

1. Signatures

2. Traffic rates

3. Anomaly detection

There is also the promise of the holy grail of network defence: zero-day attack protection. I don’t really believe that any IPS truely has this capability, if it were true then there would be no need for signature and rule updates.

There are some downsides to IPS. They generate a high number of alerts and tuning the device requires skill. Resource is required to review logs and react to alerts. The devices are also expensive to buy.

What other defences are already in place? In this particular instance the network architecture includes redundancy, well configured devices, and a well designed architecture. IPS would be an additional layer of defence on a well defended network. So, it comes down to how comfortable the business feels by not having the control. There may be other factors to take into account such as future strategic plans or issues of credibility specific to the business that might not usually figure in the risk analysis. Clearly, this is much more complex an issue than it might first appear to be.

The answer must come from the business once armed with the right information.