Intrusion Prevention: A Lock To Dominate The New Year

While 2004 was the year of the integrated perimeter security device, experts said the coming year will focus on devices and software solutions that hinge upon some kind of prevention of threats such as viruses, worms, spyware and adware, the programs that spark crippling distributed denial of service (DDoS) attacks.

"Prevention has the potential to become the real breadwinner," said Darrel Bowman, CEO of AppTech, a solution provider in Tacoma, Wash. "What good is securing a network if you can't prevent threats from getting in?"

Vendors are already stepping up efforts to incorporate intrusion-prevention systems (IPS). Late last month, Aladdin Knowledge Systems brought IPS capabilities into its Aladdin eSafe content security solution. In early December, following 3Com's headline-grabbing acquisition of IPS vendor TippingPoint Technologies, competitor Top Layer upgraded software for its flagship Attack Mitigator IPS 5500 line of products to improve its prevention capabilities.

These moves have not gone unnoticed. Industry research firm In-Stat/MDR in a recent report predicted that the IPS market is poised to reach $1.4 billion by 2008, up from $541 million in 2003. Another study, this one from Gartner, indicated that the majority of leading firewall vendors will incorporate IPS into their appliances as a standard feature by 2006.

"We are likely to see IPS as one of the few standout growth segments in security," said Robert Breza, director of the security and infrastructure software division at research firm RBC Capital Markets. "[The technology] provides quality inspection with firewall speeds and firewall prevention capability."

This one-two punch of inspection and prevention is exactly what has solution providers so jazzed. Babak Pasdar, founder and CTO of IGXGlobal, Hackensack, N.J., said that many of his financial industry clients are in need of appliances that perform both network firewall and application firewall functions. In response, Pasdar has been recommending Juniper Networks' NetScreen-ISG 2000 security gateway.

Bill Thomas, president of GTC Solutions, Kansas City, Mo., has met similar customer needs with gateway appliances from fledgling IPS vendor Caymas Systems, Petaluma, Calif., which use identity to restrict and monitor access. In addition to selling IPS to secure the network perimeter, Thomas said he has sold some customers on IPS solutions to protect their internal networks from attacks as well, securing the Intranet from threats introduced by rogue end points and remote-access users.

"The trend is now to apply the same kind of vigilance to threats from internal users as they do to external attacks," Thomas said. "With products like this, we can provide value beyond what customers expect and arm them with tools that allow them to meet the growing security challenges of today's business environment," he said.

Other vendors such as Arbor Networks, Lexington, Mass., focus exclusively on this internal environment, building IPS solutions around what they call network behavior anomaly detection. Product Manager Tom Ptacek said the keys to internal IPS are "stopping attacks pre-emptively," and learning normal network activity to facilitate the detection of attacks.

Still, many solution providers insisted that while IPS on both sides of the LAN is important, IPS in general works best as part of a broader solution. Bernie Mikula, CEO of Go2 Communications in Woburn, Mass., said he prefers to sell customers on a "unified threat management" solution that incorporates IPS, firewall, antivirus and more.

Ray Pompon, network security consultant at Conjungi Networks, Seattle, agreed, noting that IPS works best when it takes the lead role in a larger, more comprehensive effort.

"IPS technology is useful, but it works best when it is part of a well-balanced security meal," said Pompon. "Down the road, years from now, this will be just another thing organizations will expect to use."