As our networks evolve and perimeter protection becomes just one of many necessary layers of security, organizations are turning to next generation intrusion prevention systems (NGIPS) to lock down networks from the edge to the core.
The next generation firewall (NGFW) revolutionized network security by incorporating a variety of critical functions into a single, easy to manage appliance. For vendors who found the secret sauce of high-performance hardware, optimized software, and powerful threat intelligence mechanisms, NGFWs were a real leap forward for their customers. In fact, they still are - they remain the first line of defense for networks of all sizes and we’re now seeing a move to roll out Internal Network Firewalls (INFWs). These are essentially NGFWs optimized for the demands of east-west network traffic that can be used to provide targeted protections for high-value resources and new top-of-rack security applications.
So isn’t that enough? At one point it was and for some organizations it still is. But here’s the problem: Network perimeters are now very poorly defined, with high degrees of mobility, BYOD, BYOA, and more, making it far more difficult to catch every vulnerability with a firewall, no matter how “next-generation” it might be. We often talk about layered approaches to security and for good reason. Attacks are persistent, varied, and aggressive and can exploit vulnerabilities in servers, client software, cloud applications, and anything in between. They come from outside the network, within the network, and, most importantly, often move laterally to the firewall once they’re in, meaning that it’s time to introduce a new layer of protection.
Enter Next Generation Intrusion Prevention Systems (NGIPS). NSS Labs recently tested several top NGIPS appliances, noting that “...a new generation of intrusion prevention is required to meet the challenges of an organization without a clearly defined perimeter…[They] must provide organizations the ability to identify both the applications and the users on their internal networks...Designed to identify and block attacks against internal computing assets, a good NGIPS can provide temporary protection and relief from the immediate need to patch affected systems.”
NGIPS are designed to run as a “bump in the wire”, detecting threats inline in a network while maintaining exceptional performance. NSS Labs just released the results of their NGIPS tests and their findings in terms of performance, security, and the total costs to an organization to implement this additional protection were striking:
The key to effective deployment of a next-generation IPS is being able to layer on highly effective protection with performance that makes it transparent to end users. It’s easy to introduce too much latency and bog down the network with the kinds of inspection that an IPS needs to do, just as it is when you start turning on too many inspection features in many NGFWs. Check out the results from NSS Labs to see how Fortinet NGIPS is staying ahead of both the performance and threat curves, all while delivering the highest value intrusion prevention solutions.