Are You Ready For The Next Generation IPS?

Last Updated on October 27, 2011

Advanced Persistent Threats are changing the information security paradigm and Next Generation IPS will probably be, together with SIEM, the new weapons in the hands of information security professionals for stopping this new category of threats that are proving to be the real nightmares for CISOs in this troubled 2011.

If you have just learned what a Next Generation Firewall is, you will probably be a little disappointed in knowing that it is not the last frontier of information security (as many security firms claim), instead the growing impact and influence of APTs, which are threats acting on different layers (user, network and applications), different timeframes and different portions of the network, are redesigning the network security paradigm, requiring additional intelligence at the perimeter, and shifting the game to a context-aware model in order to grant the holistic view that is necessary to stop them.

Traditional Firewall and IPS Technologies are rapidly shifting towards the Next Generation Firewall model, which is user aware and application aware. Unfortunately a Next-Gen Firewall is not enough to stop an APT, since, although focused on the application control, a NGF remains essentially user oriented, and consequently lacks the global vision necessary to stop a persistent threats acting on different layers besides user and application. At the same time traditional network security technologies (FW and IPS) are not enough since they are anchored to the old model: a Firewall enforces access control at the protocol level, which is useless for threats carried inside legitimate traffic, instead an IPS enforces a security model based on protocols and vulnerabilities, being completely unaware (and in certain sense blind unless complex integrations are put in place) of the context in terms of user activity, and user interaction with applications, directories, etc.

Now let us suppose to make a brand new information security recipe, taking the main features of a NGF (user awareness and application awareness), the main features of a Firewall (access control) and the main features of an IPS (protocol awareness and vulnerability awareness), blend them in a virtual pot and add a little bit of reputation (for instance obtained from a globally distributed network of sensors) and other features such as geo-location, application heuristics and, last but not least, an application anomaly detection engine (which is completely different from a traditional protocol anomaly engine). You will obtain a new information security dish: the Next Generation IPS, a new class of devices that likely represents the near future of network security.

NG-IPSs are characterized by two main features:

They shift the enforcement of security policies from a content-based to a context-based model (where the context is defined by the interaction of user with applications);
They leverage new technologies such as reputation and geo-location to provide the holistic view necessary to stop APTs.

So what do we have to expect at the perimeter? The traditional Firewall and IPS (or UTMs) will likely be replaced by NG-IPS, while specific “vertical” security devices, such as Web Application Firewall will remain in place in strategic portion of the netowork (just in front of Web Farms) to protect specifically Web (read HTTP and HTTPS) applications. As you may see from the following table a NG-IPS encompasses all the features of the “old” technologies plus new features allowed by a growing adoption of Reputation and Cloud-Based services.

Since WAF will follow a parallel and co-existing walk, meanwhile I reccomend you to read my Q&A on Next-Gen and Web Application Firewall.