Are stand-alone IPSs dead?

By Joel Snyder
Network World, October 1, 2007

Original Article on Network World Web Site

just finished a hellishly large test for Network World of enterprise-class UTM firewalls. You’ll be able to read the full results in print and online Nov. 5. One of the tough questions I had to wrestle with is the definition of UTM when it comes to these gigabit behemoths.

In the SMB environment, UTM is pretty easy: firewall, antivirus, maybe IPS and antispam, content filtering, a handful of VPN tunnels. But at the enterprise level, it’s nowhere near as clear. I talked to a lot of my consulting clients, and while some were interested in some UTM features — IPS mostly — there was a lot of hesitation about piling anything new on top of existing firewalls.

Some of that fear is well-founded. For example, in the area of antivirus, most firewalls (SonicWall’s PRO is an exception) scan only a handful of protocols on predefined ports. You’re not scanning nonstandard protocols; you’re not scanning nonstandard ports; you’re not scanning encrypted traffic. Sure, there’s some value there, but is the value great enough to make it worth the cost and performance hit?

My conclusion is that the most likely scenario for additional protection in the enterprise firewall is going to be IPS, a natural and complementary technology. By coincidence, last week Gartner released its most recent “Magic Quadrant” on enterprise firewalls with a similar conclusion. Of course, Gartner had to create a new term for it, specifically tossing UTM to the SMB and branch-office market and calling these enterprise-sized devices Next-Generation Firewalls. But the conclusion is the same: At the high end, the norm for UTM will be IPS and not much else.

What does this mean for enterprise managers? One conclusion comes from watching this trajectory. If firewall vendors keep improving their high-end systems, we’ll finally get some enterprise-class IPS features without having to add extra boxes to the network. The IPS folks have long wanted to sell their product as a separate device, just as the IPSec site-to-site VPN vendors did. That cheese has been sliced, passed out and digested. The market for stand-alone IPS isn’t going to disappear overnight, but a lot of those deployments are going to get merged into firewalls.

This merging of high-end IPS into high-end firewalls — a trend we definitely saw in our testing — means that as you refresh your big firewalls, adding IPS features there, rather than in a stand-alone system, should be part of the evaluation process. IPS in other parts of the network may be combined with firewalls or may sit as standalone devices, but when an IPS is right next to a firewall, combining the two devices is the wave of the future.