I was involved in an interesting debate a couple of nights ago about the relative merits or otherwise of IPS. It’s a subject I’ve talked about a couple of times before on this blog ( for instance here talking about the ROI of an IPS device and here where the decision about whether or not to purchase an IPS device is debated) . The general concensus around the table was that IPS is prone to false positives, difficult to monitor, and adds too much latency to network traffic.
The question of latency can certainly be a problem for an organisation reliant on transaction speed – take share trading for instance. Within my own industry a few false positives and the odd extra millisecond on a transaction will not make a whole lot of difference however, I’m beginning to lean towards the view that network IPS might have had its day.
David Lacey’s blog today makes the point that “nine out of ten security managers still prefer to monitor rather than block.” That’s a fine strategy if you have the organic resource (i.e. a person) to do the monitoring. In some businesses I’ve visited over the years, the monitoring habit had worn off and IDS logs were only being reviewed at fixed times. That’s hardly the way to get benefit out of the investment. One of the supposed benefits of IPS is it’s alleged pro-activeness in blocking attacks. I’ve heard this called into question in some instances.
So, what is the best way forward? Innovative products such as the Secerno solution mentioned by David seem like a good idea. More generally, as we de-perimeterise, we need solutions closer to where the important assets are and more tailored to protect them. Host-based IPS systems that reliably block attacks are a good approach. Web application firewalls another.
There is a certain comfort level that’s difficult to shake off in having the network IPS – so, it’ll still be around for a while mitigating a bit of the risk, but I’m becoming less certain about exactly how much.