Stand-alone IPS Still Viable Despite FireEye, Palo Alto Networks Gear

Large enterprises and other businesses that employ strong security teams to protect critical systems continue to rely on stand-alone intrusion-prevention systems in the face of growing adoption of next-generation firewalls and so-called breach-detection platforms.

The traditional network security appliances are decades-old, and built and sold by many of the large infrastructure vendors -- Cisco Systems, IBM, Hewlett-Packard and others -- and they have rebounded with sales into utilities, manufacturing and retail organizations, according to a new NSS Labs Market Intelligence report. Stand-alone IPS deals are still shrinking in the midmarket, where companies struggle to attract and retain the security personnel necessary to monitor and maintain them, said Rob Ayoub, a research director at Austin, Texas-based NSS Labs. Midmarket firms often turn to next-generation firewalls (NGFW) that combine IPS capabilities with firewalling and application control.

"We are certainly moving closer and closer to more of a NGFW-for-all environment, but there are traditional-use cases where a NGFW can't perform as well," Ayoub said in an interview with CRN.

[Related: Palo Alto Networks Appliance Vulnerable To Evasion, Was Tested Thoroughly, Says NSS Labs]

Sponsored post

The IPS market is expected to grow at an overall rate of 4.9 percent through 2018, reaching a total addressable market size of $1.7 billion, according to a new NSS Labs Market Intelligence report issued last month. Cisco Systems leads the IPS market at 39.5 percent of the global market for the technology, followed by Intel Security (formerly McAfee), which holds 25.5 percent, according to NSS Labs market analysis.

Cisco's $2.7 billion acquisition of Sourcefire and McAfee's $389 million Stonesoft deal solidified their strong market positions, Ayoub said. Meanwhile, IBM holds a 16.9 percent market share in the IPS market and HP captures 14.7 percent of the market, and both companies saw a rebound in IPS sales in 2013, according to the report.

IPS technology makes up 10 percent of the infrastructure security market, Ayoub said. IPS rebounded with adoption from organizations trying to protect a dedicated operating system, such as Windows XP, which is no longer supported by Microsoft. It's easier to write custom signatures using a traditional IPS, Ayoub said. Manufacturers of IPS systems also are touting signatureless detection methods and contextual awareness over network traffic.

IBM and HP are positioning their IPS appliances as security operations center products, focusing more on their ability to support forensics and incident response capabilities, Ayoub said. Stand-alone IPS remains a central component at companies that have security operations centers and a staff of threat analysts who are looking for intrusions and tracing attacks moving throughout the network, Ayoub said.

"IPS is still really having a foothold in large enterprises that really do care about end-to-end detection and incident response," Ayoub said. "Those companies still gravitate toward IPS devices as the primary driver of workflow for those processes."

In addition to supporting digital forensics and network monitoring, traditional IPS appliances also provide manageability tools, giving networking pros tools that provide a treasure trove of data about network intrusions, Ayoub said. Traditional IPS also has more maturity and tighter integration with security information event management (SIEM) systems that help correlate data and detect potential threats that need investigating.

NEXT: Four IPS Vendors Earn Strong Marks In NSS Labs Testing

The NSS Labs IPS market intelligence report eliminated vendors that sell IPS capabilities as part of a next-generation firewall platform. The company tested the IPS capabilities of 10 network security appliances last year. Stonesoft, McAfee, Dell SonicWall and Check Point earned NSS Labs' "recommended" rating in the test results issued by NSS Labs in January.

Check Point, Fortinet and Palo Alto Networks continue to chip away at the stand-alone IPS market, Ayoub said. The emergence of breach-detection technologies, driven by FireEye, also is capturing precious IT budgeting dollars, impacting IPS sales, he said.

High-profile data breaches at retailers, and increasing attacks targeting banks and investment firms, are driving interest in stand-alone IPS and other security technologies, said J.D. Butt, vice president of solutions at Chicago-based solution provider Nexum. Larger organizations deploy multiple technologies and competing products because it is seen as an extra layer of protection, Butt said.

"We are only seeing growth in stand-alone IPS because it has been stagnant for so long," Butt said. "Having multiple manufacturers is not a bad thing when it comes to intrusion detection and identifying malware."

Solution providers said they still have large clients that desire the stand-alone IPS and have the budgeting to include a layer of next-generation firewalls. Networking gear from Check Point, Fortinet and Palo Alto Networks continue to make gains in the upper midmarket, they said.

Organizations that are more proactive about security are doing both stand-alone IPS and next-generation firewalls, said Brad Taylor, CEO of Irvine, Calif.-based Proficio. Taylor said HP TippingPoint appliances are still popular with clients managing HP ArcSight SIEM systems.

"The next-generation firewalls add the application level and threat prevention in one place, but if you've got a mature enough organization you may want the additional control and data that comes with a stand-alone IPS," Taylor said.

Cisco Systems is a market leader followed by Check Point, Fortinet and Juniper, according to IPS market analysis conducted by IDC. The Framingham, Mass.-based research firm has Palo Alto Networks surpassing Blue Coat in 2013 in fifth place in the global IPS market.