Brian Robinson

Reliability is one of the most important features of an IPS, particularly in its role as an inline network device. If an IDS fails the worst that can happen is that some potentially troublesome data go unnoticed, but if an inline IPS fails the whole network could screech to a halt.

Even if it doesn’t fail completely, a NIPS will act as a bottleneck on the network, degrading performance through increased latency and decreased data throughput.

It’s important that any NIPS device be able to fail in the open position, or be able to hand its functions off to another device in the network if it fails or its performance drops below a certain level.

As much as the quality of the device itself, am effective IPS depends on the quality and accuracy of the signatures provided by the vendor. That’s important to the network or security administrator because it helps them to cut down on false positives, which occur when poorly designed signatures prompt a response from the IPS to legitimate traffic.

It’s irritating enough when IDSs are involved and the administrators are faced with a flood of alerts that they then have to laboriously wade through to tell which is actually flagging a real problem. it’s the reason why IDS has gotten such a poor reputation over the years. However, it’s potentially catastrophic with an IPS that can actively block suspect data, since network traffic or server operations could be disrupted without real cause.

The accuracy of signatures is also important in giving administrators the confidence to prioritize which potential exploits they want to block. It’s rare that an IPS is used to block all suspicious traffic, and in fact not all potential exploits are worth blocking. Some will be truly harmful, but others will be relatively benign.

Good IPS management involved tuning the signature set to provide the best protection while reducing the impact of the IPS on network and server performance as much as possible. The standard of the signatures will therefore become even more important as the number of exploits continues to grow, and as network speeds and traffic rates increase.