2 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Intrusion Detection FAQ: What Are The Top Selling IDS/IPS and What Differentiates Them from Each Other?

Algis Kibirkstis
November 2009

Selecting an Intrusion Prevention System (IPS) can be a daunting task. While an independent assessment of available solutions is strongly recommended as a best practice before procurement and deployment, a good place to start a research effort is to look at the market leaders and to compare their offerings.

According to Infonetics Research, Cisco ranked highest among six top selling IPS solution providers -- the other five suppliers being McAfee, Juniper, IBM, Sourcefire and TippingPoint -- based on assessments performed by large organizations on eight selection criteria, ranging from value and pricing to technology and the product's roadmap for the future. These same six providers also rank highest in terms of their effectiveness on the latest Gartner report, although CIsco and IBM are considered to be challengers to the market led by the other four vendors.

As IPS systems have evolved in time and grown in maturity, several traits are shared by the various offerings, the primary one being the successful migration from passive IDS monitoring systems to active in-line/in-band IPS choke points. This type of "pre-patch shield" provided by modern IPS systems is a feature made possible from its perimeter location; the vendor's frequent database updates gives their clients network-level protection while they work out a patching and hardening strategy on their internal production nodes. Other improvements generally found in today's IPS systems include attack recognition beyond simple signature matching, dropping of malicious sessions as opposed to simple resetting of connections, and the deployment of dedicated hardware that can operate at "wire speeds".

Cisco has several IPS solution offerings, which can be implemented via its IPS Sensor Software as well as through hardware (with physical add-on modules). A component of the Cisco Self-Defending Network, the Cisco IPS 4200 Series Sensors provide protection against worms, Trojans and exploits against application & operating system vulnerabilities. The IPS 4200 series filters for over 300 signatures and has 30 detection engines, providing protection for over 30,000 known threats. On top of standard signature-base matching capabilities, a globally-managed "reputation analysis" feature can push updates to client systems in a matter of minutes. Adopting a Cisco solution would certainly be attractive to those organizations that exclusively deploy and maintain Cisco network equipment; Cisco IPS solutions can be integrated and managed using existing Cisco network management systems.

IBM, through its acquisition of IDS pioneer Internet Security Systems, inherits a robust inspection engine and deploys their Proventia IPS solution in a variety of deliverables including dedicated hardware. At the core is a "security convergence" strategy that is engineered to provide protection for the wide range of threats that exist today, from web-based attacks to insider threats to standard malware protection, through a single consolidated solution. A key feature is the IBM Protocol Analysis Module (PAM) that supports a deep packet inspection capability. A scaleable solution through its modular product architecture, additional protection modules can be introduced as new threats emerge. Their X-Force research and development team provides 24/7 monitoring of ongoing threat levels in order to provide their customers with prompt updates to their IPS solutions.

Juniper Networks also maintains a portfolio of IPS solutions, ranging from standalone systems to integrated all-in-one security solutions. The Juniper IPS is Implemented as an application that can run collocated with other perimeter functions such as firewalls and rate limiters. Strengths in this solution include a highly-granular Role Based Access Control implementation for administration, a communications protocol validation capability performed against published RFCs, and selective contextual screening of network traffic. Its evolution from Netscreen acquirer to the developer of their next-generation JUNOS platform has helped them maintain their market share in the IDS/IPS market.

McAfee's acquisition of IntruShield makes them a player in the IPS marketplace with the rebranded McAfee Network Security Platform (NSP), also offered in various packages from all-in-one to dedicated solutions. NSP is the only IPS appliance that has the NSS Group's Multi-Gigabit IPS certification, and it supports integration to the McAfee Vulnerability Manager and ePolicy Orchestrator, a management platform that pushes down policy to managed nodes and systems. Centralized management of IPS nodes and policies is implemented through the McAfee Network Security Manager system, a separate appliance that implements a scaleable and intuitive management system that can support up to 1000 sensors.

Sourcefire is perhaps best known as the commercial arm of the Snort IDS project. The product's intrusion detection and protection engine is well-known in the security community due to its maturity and its open-source accessibility to students, although the learning curve associated with this type of offering is considered to be high. The Sourcefire RNA feature recommends which rules to implement based on the type of network being protected. The Sourcefire Vulnerability Research Team (VRT) is complemented by the open source community to provide and maintain updates to the configurations of their product line, which includes hardware and software solutions built on the Snort core. Snort is a highly configurable and expandable IDS/IPS solution, with its rule set built from a library of 14,000 rules that can be readily adapted and expanded by individual security administrators.

TippingPoint, acquired by 3Com in 2005, is a major player in the IPS market, and enjoys a significant market share. Also provided in a variety of flavours, it is able to provide zero-day protection capabilities due to its relationship with an army of independent researchers. Built upon their Threat Suppression Engine (TSE) with custom ASICs at the core, the TippingPoint IPS provides a high-performance solution that can efficiently scan packets at Layers 2-7 of the OSI model. Their research team pushes out emergency updates on top of standard updates twice a week; their Digital Vaccine service delivers filters that are designed to block multiple attack types that can be associated with new exploits. The product line's default settings provide a ready-to-use policy set to greatly facilitate initial commissioning.

Resources:

NIST Special Publication 800-94: Guide to Intrusion Detection and Prevention Systems (IDPS) http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

Cisco, McAfee, Juniper top IPS vendors http://www.ciol.com/Technology/Security/News-Reports/Cisco,-McAfee,-Juniper-top-IPS-vendors/16909125093/0/

Cisco, McAfee, and Juniper top intrusion prevention vendor ratings by enterprise IPS users http://www.infonetics.com/pr/2009/User-Plans-Intrusion-Prevention-Systems-Study-Highlights.asp

Magic Quadrant for Network Intrusion Prevention System Appliances http://www.sourcefire.com/products/sfsem/gartnerMQ?semg=USGTR1

Cisco Intrusion Prevention System http://www.cisco.com/en/US/products/sw/secursw/ps2113/index.html

Cisco IPS 4200 Series Sensors http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html

IBM - Proventia Network Intrusion Protection Systems (IPS) http://www-935.ibm.com/services/us/index.wss/offerfamily/iss/a1030570

IBM Proventia Network Intrusion Protection System ftp://ftp.software.ibm.com/common/ssi/pm/sp/n/sed03056usen/SED03056USEN.PDF

Juniper Networks: Intrusion Prevention System (IPS) http://www.juniper.net/us/en/products-services/software/ise-applications/ips/

McAfee Network Security Platform http://www.mcafee.com/us/enterprise/products/network_security/network_security_platform.html

Snort

Sourcefire Intrusion Prevention Systems (IPS)

Sourcefire Vulnerability Research Team (VRT)

TippingPoint Intrusion Prevention Systems

< Previous Question | Back to Intrusion Detection FAQ Home | Nex Question