Line Between IDSes And Firewalls Gets Finer

Firewalls and IDSes traditionally have been separate functions, but vendors such as NetScreen Technologies and Check Point Software Technologies are beginning to integrate the technologies together.

"There's an artificial line between firewalls and IDSes that was created purely out of the evolution of the technology, not by, 'This is what makes sense,' " said Dan McCall, executive vice president at security services firm Guardent, Waltham, Mass. "So there's absolutely going to be convergence in that space."

NetScreen, a Sunnyvale, Calif.-based maker of ASIC-based firewall and VPN appliances, acquired IDS vendor OneSecure this summer and plans to integrate the technologies, said Chris Roeckl, NetScreen corporate marketing director.

In the first half of 2003, the vendor will ship a firmware upgrade to its appliances that will allow customers to operate a subset of OneSecure's core intrusion-prevention technology, he said. In 12 to 18 months, it plans to release a new hardware platform that fully integrates the companies' technologies. NetScreen envisions taking a layered approach for the new security gateway product that combines general CPUs, ASICs and network processors, Roeckl said.

Check Point, Redwood City, Calif., earlier this year unveiled SmartDefense, a technology integrated in its FireWall-1 software that detects and stops attacks, said Greg Smith, director of product marketing.

"It's one of the most significant advancements we've made in FireWall-1 in two years," he said.

SmartDefense detects attacks by looking for irregular behavior in network traffic and also looks for signatures of known attacks. Check Point provides signature updates to customers via an online subscription service.

Smith said that SmartDefense complements third-party IDS products, which can detect attacks that don't come through the Internet gateway. Check Point plans to expand the capabilities of SmartDefense: "We see this as a strategic area of development," he said.

Integrating IDS functions into the firewall will make IDS technology more effective and boost security, Guardent's McCall said. IDSes today are essentially alarms; integrating them into the firewall will allow them to better respond to the alarm, he said.

"The firewall stops packets or lets packets in, so that's really where I think the integration will happen. The IDSes could get smart enough that they wouldn't turn off every other connection because they thought there was a hacking attempt, but were actually able to make decisions on-the-fly.

That's really why you want them in the same device," he said.

But Mark Mellis, a consultant at SystemExperts, a security consulting firm in Sudbury, Mass., isn't sold on the idea of integrating IDS and firewall functions.

"Extending the functionality of the firewall is a good thing, making it more effective at blocking bad traffic. But you don't want to have all your eggs in one basket," he said. "Security is best done in layers."

Having separate IDS and firewall devices from different vendors provides better protection because if one device doesn't catch an attack, the other can, said Jason Reed, also a consultant at SystemExperts.

Gary Fish, president and CEO of FishNet Security, Kansas City, Mo., said some level of IDS at the firewall might be good but added that he prefers a best-of-breed approach to security over integrated product suites. A suite may cost less but sacrifices functionality, he said.

"It may make sense to firewall vendors to do IDS at the firewall; however, I am not sure it will ever replace conventional network and host-based IDS," he said.